Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Eli Prompt Guard
v2.0.0Automatically detects and blocks prompt injection attempts across multiple platforms to protect against unauthorized commands and data leaks.
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Prompt Guard) match the SKILL.md and openclaw.plugin.json contents: lists of detection patterns, triggers, platforms, and CLI metadata. However, the skill is instruction-only with no install spec or code, so it functions as a ruleset/guide that the agent/platform must implement; README suggests a 'clawhub install' but no install spec is present in the package — this is a minor inconsistency to be aware of.
Instruction Scope
SKILL.md stays within scope: it tells the agent to scan content before external submission, enumerates detection categories and regex patterns, and references a local config path (~/.openclaw/workspace/memory/prompt-guard-config.json). It contains many strings that look like injection/jailbreak phrases (e.g., 'ignore previous instructions', 'you are now') — these triggered the pre-scan alerts but are expected because the document is enumerating patterns to detect. The instructions do not request unrelated files, system credentials, or external endpoints, but they do assume the agent will notify an owner (mechanism unspecified) and may read/write its own config file in the agent workspace.
Install Mechanism
No install specification or code files are provided — lowest runtime risk because nothing is written or executed by an installer. README mentions a 'clawhub install' command even though the package contains no installer. This mismatch implies the skill is a declarative/rules artifact; verify your platform actually implements the enforcement or provides a companion package before expecting runtime enforcement.
Credentials
The skill requests no environment variables, no credentials, and no config paths outside its own suggested workspace file. The listed sensitive-data patterns (OpenAI, AWS, etc.) are detection targets, not credentials the skill requires. There is no disproportionate credential access.
Persistence & Privilege
always is false and there are no indications the skill requests elevated system privileges. It defines triggers (pre_submit/pre_post/pre_send) which are appropriate for a guard. The default ability for an agent to invoke the skill autonomously is normal and not a standalone concern here.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md intentionally includes strings like 'ignore previous instructions' because it enumerates injection patterns to detect. The pre-scan alert is a false-positive in the sense of malicious intent and expected for this guard.
[you-are-now] expected: Phrases such as 'you are now' appear in the role-manipulation detection patterns. The scanner flagged it, but inclusion is expected and appropriate for a detection ruleset.
Assessment
This package is a ruleset/instruction-only skill for detecting prompt injection; it does not ship enforcement code or request any credentials. Before installing or enabling it: 1) Confirm how your OpenClaw agent/platform will apply these rules — instruction-only skills rely on the platform to enforce checks and notifications. 2) Verify where and how 'Notify owner' alerts are delivered (email, webhook, UI prompt) to ensure sensitive content won't be sent to an external endpoint. 3) Review and, if needed, customize the referenced config path (~/.openclaw/workspace/memory/prompt-guard-config.json) and timeout/auto-reject behavior. 4) Test the guard in a safe environment to confirm it detects expected patterns and does not block legitimate content. The scanner flags strings that look like injection attempts, but those are part of the detection patterns and are expected — not evidence of malicious behavior.README.md:103
Prompt-injection style instruction pattern detected.
SKILL.md:43
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk972nx6cr9b5aw1xv0mh7khq1d83n6jj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.