Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CISO Agent Security
v1.0.0AI agent cybersecurity skill implementing MITRE ATLAS, OWASP Top 10 for LLM and Agentic Applications, CSA MAESTRO, NIST AI RMF, and Gray Swan frameworks. Red...
⭐ 0· 53·0 current·0 all-time
by@crevita
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and runtime instructions all describe a policy/assessment skill that maps to MITRE ATLAS, OWASP, CSA MAESTRO, NIST AI RMF, and related frameworks. The skill is instruction-only and requests no binaries, credentials, or config paths — which is proportionate for a documentation/policy skill.
Instruction Scope
SKILL.md provides detailed patrol, scoring, quarantine and patch guidance and lists official framework URLs only. However it instructs agents to "read this entire skill file" before any patrol and to "use ONLY the official URLs listed" — language that can act like a system-prompt-level constraint (prompt-authority). There are no commands to exfiltrate data or hidden endpoints, but the firm, global-scope instructions grant high discretion to the skill if it is treated as authoritative.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables, no credentials, and no config paths. This is proportionate for a documentation-only security skill.
Persistence & Privilege
The registry flags show no always:true and autonomous invocation is allowed (normal). The README explicitly instructs users to place the SKILL.md into the agent's system prompt ("Before any patrol or assessment, read skills/ciso-security-skill.md"), which would elevate this skill to system-prompt authority. Combined with the SKILL.md's 'use ONLY' language, this guidance can effectively override other system-level constraints and broaden the skill's influence — a notable risk.
Scan Findings in Context
[system-prompt-override] expected: A security/policy skill will often want to be authoritative; the SKILL.md and README explicitly instruct agents to read the file and to be added to the system prompt. That pattern matches the detector. While expected for a policy document, embedding skill text in a system prompt or using absolute 'ONLY' instructions grants it elevated control and should be treated cautiously.
What to consider before installing
This skill is largely coherent and contains useful framework references, but it explicitly encourages embedding itself into an agent/system prompt and uses absolute language ("read this entire skill file", "use ONLY the official URLs listed"). Embedding the skill into a system prompt gives it near-system-level authority and can inadvertently override other safeguards. Before installing or pasting this into any global/system prompt: 1) Do NOT add it to a global system prompt for production agents without review — prefer loading it as a user-invoked skill or as a scoped policy for a test agent. 2) Run the skill in an isolated sandbox agent to observe behavior and outputs. 3) Ensure agents using this skill have no high-value credentials accessible and monitor network egress. 4) If you plan to adopt parts of it, extract the guidance you trust and incorporate it into your vetted operational policies rather than blindly trusting an external SKILL.md. 5) Have your security team review the authoritative instructions (the "ONLY" clauses) and decide whether to relax or rephrase them so they don't unintentionally block necessary context or updates.README.md:40
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97777baqrzcwnnsckq51yqzh583hst9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.