Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Defender
v1.0.0Agent Defender - AI智能体安全防护平台。静态扫描+运行时防护+DLP脱敏。触发:(1)扫描Skill (2)启动防护 (3)DLP检测 (4)安全审计
⭐ 0· 45·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (static scan + runtime protection + DLP) align with the repository contents: scanner_v2.py, runtime/monitor.py, dlp/check.py and many rule files. However the project also contains sync_from_lingshun.py, research_daemon.py and orchestration/ROS scripts that claim to auto-sync rules from an external research system (“灵顺 V5”). The SKILL metadata declares no external credentials or endpoints even though the codebase appears designed to sync with/consume external intelligence — this mismatch is notable and worth review.
Instruction Scope
SKILL.md gives only local-launch instructions (run scanner, monitor, dlp scripts) and edit config.json. The repository, however, includes a continuous research daemon, sync scripts, and defenderctl.sh that start background services and automatic sync cycles. The instructions do not call out network behavior, automatic syncing or what external endpoints might be contacted — scope is broader than the SKILL.md usage examples imply.
Install Mechanism
No install spec is declared (instruction-only install). Files are packaged directly in the skill; nothing in the metadata tries to download or execute remote installers. This lowers supply-chain install-risk compared to arbitrary download/install steps. Nevertheless, the shipped scripts themselves may perform network operations at runtime.
Credentials
The skill declares no required environment variables or credentials. Yet the codebase references an external research/sync flow (sync_from_lingshun.py, research_daemon.py, integration scripts) and orchestration guides that imply network access and potential need for endpoints/credentials. Absence of declared env vars for that functionality is an inconsistency: either the sync is local-only (fine) or it will attempt remote connections without documenting required credentials (risk).
Persistence & Privilege
The skill does not set always:true and is user-invocable only. However it includes utilities to run a background daemon (research_daemon.py), defenderctl.sh to start/stop a persistent service and PID/state files. If the user starts those, the skill will persist on the host (normal for this product). Because autonomous model invocation is allowed by default, review of automatic behaviors (what the daemon does, what it syncs, network targets) is recommended before enabling persistent operation.
Scan Findings in Context
[ignore-previous-instructions] expected: A prompt-injection pattern was detected in SKILL.md or in integrated rules. Given this is an anti-prompt-injection / detection product, the presence of such a string in rules or examples is expected (they create signatures for injection). Still, any occurrence of 'ignore previous instructions' should be inspected to ensure it is part of detection rules and not an attempt to manipulate evaluations or runtime behavior.
What to consider before installing
What to check before installing or running this skill:
- Review network/sync code: open sync_from_lingshun.py, research_daemon.py, integrate_scanner_v4.py and defenderctl.sh and search for outbound network calls (requests, urllib, socket, subprocess calling curl/wget) and any hard-coded endpoints. Confirm whether external credentials or endpoints are required and where they would be stored.
- Inspect persistence scripts: defenderctl.sh and research_daemon.py create PID/state files and can run continuously. Decide whether you want that background behavior; run the service in a sandbox or container first.
- Audit actions with side effects: locate any code that writes, deletes, or executes system commands (os.system, subprocess, open files under /etc or home) and verify they match expected behavior (scanning, logging, backups) — e.g., backup_manager.sh and any 'run-once' scripts.
- Validate DLP/rule behavior: integrated_rules/ contains many rules. Confirm blocking actions are safe (do not auto-delete data or send secrets to remote endpoints). Test the scanner on non-production samples to evaluate false positives/negatives.
- Run in isolation first: execute the tools in an isolated environment (container, VM, or offline machine) and monitor outbound connections and file changes.
- If you plan to enable the auto-research/sync features, require explicit documentation of what remote service (’灵顺 V5’) is, what credentials it needs, and whether synced content is trusted. If undocumented, treat sync as potentially risky.
Because of the mismatch between claimed local-only usage in SKILL.md and the repository’s automatic research/sync components (plus the prompt-injection detection strings present in rules), exercise caution and prefer manual review or sandboxed testing before granting persistent or network-enabled operation.scanner_v2.py:434
Dynamic code execution detected.
test_plan_v2.py:219
Dynamic code execution detected.
INTEGRATION_REPORT.md:125
Prompt-injection style instruction pattern detected.
README_SIGMA_YARA.md:74
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97c0524gjap2gzdetsnf3smbs84sszm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.