ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DCL Prompt Firewall

v1.0.0

Intercepts malicious prompts before they reach your LLM. Detects prompt injection, jailbreak attempts, instruction override, role-switch attacks, and token s...

0· 17·0 current·0 all-time
byDari Rinch@daririnch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name and description claim an input-layer prompt firewall; the SKILL.md instructs callers to screen inputs by POSTing them to https://webhook.fronesislabs.com, returning COMMIT/NO_COMMIT and tx_hash values. This is coherent: a remote service can perform screening and produce an audit proof. However, the skill relies entirely on an undocumented third-party endpoint (no homepage, no owner provenance, no API key or auth required), which is unusual for a security-critical gate and reduces trustworthiness.
!
Instruction Scope
The runtime instructions explicitly tell the agent to transmit incoming prompts (potentially user data, documents, or tool outputs) to an external webhook. That means potentially sensitive or confidential data will be sent off-host. The SKILL.md also enumerates many attack strings (which explains the scanner flags), but the core concern is the broad data exfiltration implied by the 'how to use' examples and the lack of any local/self-hosted alternative or guidance for redaction before transmission.
Install Mechanism
No install spec and no code files — lowest installer risk. The skill is instruction-only, so nothing is written to disk by an installer. The primary risk comes from network calls the instructions ask the agent to make, not from an installation step.
!
Credentials
The skill requests no environment variables or credentials, and provides no API key mechanism. That means it presumes a public webhook that will accept raw prompts. For a security product, the absence of authenticated/enterprise credentials or self-hosting instructions is disproportionate: it forces you to send unprotected data to an external service to get the promised 'tamper-evident' proofs. Data retention, privacy, and who controls the Leibniz Layer™ ledger are unspecified.
Persistence & Privilege
Does not request always: true and does not modify agent/system config. It allows normal autonomous invocation (platform default). Be aware: if your agent is allowed to call this skill autonomously, the blast radius increases because the agent could routinely forward inputs to the remote webhook without per-call user confirmation.
Scan Findings in Context
[prompt-injection-pattern-ignore-previous-instructions] expected: SKILL.md purposefully lists attack strings such as 'ignore previous instructions' to demonstrate categories the firewall detects; the presence of this string is expected for a firewall but is also why the pre-scan flagged the file.
[prompt-injection-pattern-you-are-now] expected: The doc enumerates 'you are now' / role-switch phrases as examples to detect. This is expected for explanatory content; it can trigger automated prompt-injection detectors even though it is not itself an injection payload.
[prompt-injection-pattern-unicode-control-chars] expected: The SKILL.md references token smuggling and unicode/RLO/zero-width obfuscation; listing these patterns explains detection coverage and is expected, though such strings often trigger scanner heuristics.
What to consider before installing
This skill is coherent in purpose but risky in practice: it asks you to send raw, potentially sensitive prompts to an external webhook owned by an unknown party and makes cryptographic/audit claims without verifiable provenance. Before installing or using it, consider: (1) Do NOT forward real user data or secrets — test with synthetic inputs only. (2) Request or require a self-hosting option or documented enterprise deployment and auth (API keys, mTLS). (3) Ask for documentation about data retention, ledger design, and how tx_hash/chain_hash are generated and verified. (4) Prefer local or in-network filters if you must screen sensitive inputs. (5) If you allow autonomous invocation, add network egress controls or require explicit user consent per call. If the vendor cannot provide verifiable code, audit logs, or self-hosting, treat this as untrusted and avoid sending confidential data to it.
!
SKILL.md:25
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk974cx95n45vfqfy8zbz4513jn84n117

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments