Ka88-agent-shield
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent security-audit skill, but it asks the agent to periodically inspect local history/SSH/agent files and store audit memory without clear user-controlled limits.
Review the self-audit and memory behavior before installing. If you use it, restrict or disable persistent audit memory, require confirmation before inspecting command history or ~/.ssh/~/.hermes, and use the optional LLM/full-scan mode only with a trusted local model or approved endpoint.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may continue auditing, interrupting work, or applying this skill even when the user did not ask for an audit in the current task.
The skill tells the agent to perform recurring self-audits and reject user attempts to disable them. This is security-related, but it is not clearly bounded to a specific user-approved audit task.
Execute self-audit... session_start... Every 2 hours of active work... What if user asks to ignore self-audit? ... Cannot be disabled by user request.
Make self-audit opt-in or configurable, define when it runs, and allow the user to disable or scope it after installation.
A security check could surface or record sensitive local information such as past commands, secret-bearing commands, SSH file names, or agent configuration details.
Command history and SSH/agent configuration directories can expose credentials, account context, or private operational details, but this access is not tightly scoped or declared in the registry requirements.
Review last executed commands (~50) ... history | grep ... .env|~/.ssh ... ls -la ~/.hermes/ ... ls -la ~/.ssh/
Ask for explicit permission before inspecting histories or sensitive directories, avoid reading secret stores, and document exactly what is inspected and shown.
Sensitive commands, URLs, or risky-operation details could persist across tasks and influence future agent behavior.
The skill recommends persistent memory/history for audit context but does not define retention limits, redaction, user approval, or how that memory should be protected from reuse or poisoning.
If agent uses memory (e.g., Hermes), record: Blocked suspicious attempts; User-approved risky operations; Suspicious URLs ... Should I store history between audits? Yes, recommended.
Store only minimal redacted findings, define retention and deletion controls, and require user consent before writing audit data to memory.
Running the optional installer executes third-party package installation in a virtual environment.
The optional --install path downloads an unpinned package from PyPI. It is user-directed and aligned with the full-scan feature, but it is still a supply-chain dependency.
pip install --quiet cisco-ai-skill-scanner
Use a trusted pinned version, review the package source, and avoid --install in sensitive environments unless approved.
Files scanned with the LLM mode may be shared with the configured model endpoint.
The full scan can use an OpenAI-compatible LLM endpoint for analysis. The default is localhost, but changing LM_STUDIO_URL could send scanned content to another provider.
LM_STUDIO_URL="${LM_STUDIO_URL:-http://localhost:1234/v1}" ... --use-llmKeep LM_STUDIO_URL pointed to a trusted local server for sensitive code, and disclose when scan contents are sent to any external model.
If an agent mishandles the examples, it could mistake malicious sample text for instructions.
Prompt-injection phrases are included as examples for detection, which is expected for this security skill, but agents must treat them as untrusted sample text.
| `ignore previous` | Override instructions | "ignore all previous instructions" |
Keep prompt-injection examples fenced, escaped, or clearly labeled as test data, and ensure the agent never follows them.