ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

blacklight

v0.1.0

Behavioural intelligence layer for OpenClaw agents. Monitors live decisions, forces transparent financial reasoning before any purchase, detects SOUL identit...

0· 63·0 current·0 all-time
byEliot Gilzene@cognitae-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (behavioural intelligence, financial gating, drift detection, audit trail) match the instructions: the SKILL.md explicitly instructs reading SOUL.md, AGENTS.md, installed skills, cron jobs, tool permissions, memory contents, messaging channels, and model configuration to build an Agent Profile. Those capabilities are proportionate to a behavioural-monitoring/audit tool. Minor mismatch: the skill describes itself as a persistent layer, but registry flags do not set always:true — persistence is claimed in prose but not enforced by metadata.
!
Instruction Scope
The instructions direct an automatic 'deep read of the entire OpenClaw environment' and to 'read and internalise' reference files before proceeding, including scanning 'Memory contents' (which may include sensitive personal data and secrets), installed skills, cron jobs, and tool permissions. Running this automatically on first load (Hardening Check) means substantial system state is read without an explicit per-run user prompt. The SKILL.md also contains language that triggered a prompt-injection detector (e.g., 'ignore-previous-instructions' pattern), though that phrase appears in examples/taxonomy — still, 'internalise' and the unconditional first-load read grant the skill broad discretion and risk scope creep if not tightly controlled.
Install Mechanism
No install spec and no code files — this is instruction-only. That is the lowest install risk: nothing is downloaded or written to disk by an install step.
Credentials
The skill requests no environment variables or credentials in registry metadata, which matches expectations. However the runtime instructions tell the agent to inspect tool permissions and memory (which can expose secrets). The lack of declared credential requirements is consistent, but users should understand the task requires reading potentially sensitive local state (memories, skill permissions, cron jobs) — exposure depends on what the agent's environment stores and what other skills have access to.
Persistence & Privilege
Registry flags: always:false and normal autonomous invocation allowed (disable-model-invocation:false). The SKILL.md, however, describes Blacklight as a 'persistent behavioural intelligence layer' and instructs an automatic Hardening Check 'on first load, before anything else.' That implies autonomous initial activity; it's not the platform-level always:true privilege, but it does grant the skill an automatic first-run read of the environment. This is not an automatic red flag per the platform rules, but users should be aware this initial, automatic read will happen when the skill is first invoked or loaded.
Scan Findings in Context
[ignore-previous-instructions] expected: The prompt-injection detector flagged 'ignore-previous-instructions' text found in SKILL.md. In this skill that phrase appears in the injection taxonomy and example content (describing attack patterns), so its presence is explainable. Nevertheless, any occurrence of override language in runtime instructions merits extra scrutiny because it could be abused if combined with external content.
What to consider before installing
Blacklight is largely coherent: a monitoring/audit skill legitimately needs to read SOUL.md, AGENTS.md, installed skills, cron jobs, tool permissions, memories, and model config to build an agent profile. However, before installing: - Expect an automatic 'Hardening Check' / deep read of your agent environment on first load; review and consent to that behavior. If you want to control timing, load the skill in a sandboxed environment first. - The skill will read 'memory contents' and other state that can include personal data and secrets — verify what your agent stores in memory and whether that data should be scanned. - Review the referenced files (references/, SOUL.md, AGENTS.md) and confirm they come from a trusted source; the SKILL.md uses wording like 'internalise' which could increase the chance of persistent instruction material being absorbed by the agent. - Confirm that the skill will not be set to always:true and that you understand its autonomous invocation behavior; if you need to, disable autonomous invocation for initial testing. - Because the SKILL.md contains examples of prompt-injection patterns (expected in a taxonomy), pay attention to any external content Blacklight reads — it intends to detect injection, but the tool itself performs wide reads. If you lack confidence in the current environment, run Blacklight in a sandboxed agent or a cloned workspace first, inspect the produced Hardening Check report, and verify logs/audit entries before granting it broader access.
!
taxonomy.md:50
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

agent-safetyvk979zv8dazsyanddzgmkbph7dd839z68auditvk979zv8dazsyanddzgmkbph7dd839z68behavioural-analysisvk979zv8dazsyanddzgmkbph7dd839z68data-exfiltrationvk979zv8dazsyanddzgmkbph7dd839z68financialvk979zv8dazsyanddzgmkbph7dd839z68governancevk979zv8dazsyanddzgmkbph7dd839z68latestvk979zv8dazsyanddzgmkbph7dd839z68monitoringvk979zv8dazsyanddzgmkbph7dd839z68multi-agentvk979zv8dazsyanddzgmkbph7dd839z68privacyvk979zv8dazsyanddzgmkbph7dd839z68prompt-injectionvk979zv8dazsyanddzgmkbph7dd839z68safetyvk979zv8dazsyanddzgmkbph7dd839z68securityvk979zv8dazsyanddzgmkbph7dd839z68soul-monitoringvk979zv8dazsyanddzgmkbph7dd839z68threat-detectionvk979zv8dazsyanddzgmkbph7dd839z68trustvk979zv8dazsyanddzgmkbph7dd839z68

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments