ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Driftguard

Scan before trust, compare after updates. Local-first integrity and drift scanner for OpenClaw skills and repos with trusted baselines, symlink tracking, and...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 38 · 0 current installs · 0 all-time installs
by@david90232
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is an on-disk integrity and heuristic scanner and the included scripts implement file hashing, pattern scanning, symlink checks, and baseline comparisons — which aligns with the description. Minor mismatches: the package contains Node.js CLI scripts but the skill metadata does not declare 'node' as a required binary; also the embedded version (scripts/version.js => 0.2.0) differs from the registry version (0.2.1). These are likely packaging/metadata issues rather than functional mismatches.
!
Instruction Scope
SKILL.md instructs running the included Node CLI to scan local paths and to save/compare baselines (expected). However a pre-scan detected prompt‑injection style text (pattern: ignore-previous-instructions) in the SKILL.md; given this tool explicitly scans for prompt injection strings, that match may be an illustrative example, but you should manually inspect SKILL.md for any quoted or live instructions that try to override agent behavior before running. The scanner reads arbitrary files under the provided root (including .env, SSH key names, etc.) — this is expected but means you should only scan directories you trust.
Install Mechanism
There is no installer that fetches remote code; the repo is instruction-plus-local-scripts. Risk is low because nothing is downloaded or installed automatically by a provided install spec. Running the tool requires Node.js present on the host (not declared), and execution will read and hash local files.
Credentials
The skill declares no required environment variables or credentials and the code does not request secrets or network credentials. It does read config files like .driftguard.json or .openclaw-audit.json if present — appropriate for a scanner. No disproportionate credential requests observed.
Persistence & Privilege
always is false and model invocation isn't disabled (normal). The skill does not request persistent platform privileges or modify other skills. It operates on explicit user-supplied paths and baseline files.
Scan Findings in Context
[prompt.ignore_previous] expected: A prompt‑injection regex matched content in SKILL.md (pre-scan). Because the scanner advertises checking for prompt‑injection text, seeing such a pattern in documentation/examples is plausible; still inspect SKILL.md to confirm the phrase is explanatory and not an attempt to manipulate agents.
Assessment
This skill is a local integrity/drift scanner and the code matches that purpose. Before installing or running it: (1) ensure you have Node.js and run the CLI from a controlled environment; the package didn't declare 'node' as a required binary so ensure compatibility. (2) Manually inspect SKILL.md for any literal prompt‑injection or 'ignore previous instructions' style lines — these are likely examples but verify they're not active instructions you might execute. (3) Only scan directories you control; the tool will read and hash files (including references to .env and SSH key names) but does not appear to exfiltrate data. (4) Treat any 'high' or 'critical' findings as a stop sign and do not refresh baselines until you manually verify changes. If you need higher assurance, request source provenance (homepage/origin) or run the scanner in an isolated environment first.
scripts/scanner.js:565
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.2.1
Download zip
latestvk975hkjy985j1sb57fsbdnq1qx83012p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill Drift Guard

Scan before trust. Compare after updates.

Use this skill for local integrity checks and post-update drift detection.

This skill is intentionally narrower than generic security scanners. Its best use is:

  • scan a local skill folder or repo before trust
  • save a known-good baseline of file hashes
  • compare later to detect added, removed, or changed files
  • flag risky capability combinations like shell + network or network + sensitive file access

Quick start

Run the scanner directly from the installed skill folder:

node ./scripts/cli.js scan <path>

Save a baseline after a trusted review:

node ./scripts/cli.js scan <path> --save-baseline ./reports/baseline.json

Compare a skill against a saved baseline:

node ./scripts/cli.js compare <path> --baseline ./reports/baseline.json

What it checks

  • risky shell execution patterns like curl | bash, eval, exec, subprocess, os.system
  • outbound network patterns like fetch, axios, requests, curl, webhook usage
  • references to sensitive files like .env, SSH keys, SOUL.md, MEMORY.md, OpenClaw config
  • prompt injection style content in SKILL.md, SOUL.md, MEMORY.md
  • obfuscation hints like base64 helpers and long encoded blobs
  • combo risks:
    • shell + network
    • network + sensitive files
    • shell + prompt-injection signals
    • obfuscation + active capabilities

Best workflow

1. Pre-install review

Scan the candidate skill folder or cloned repo.

node ./scripts/cli.js scan /path/to/skill

Treat high or critical output as a stop sign until manually reviewed.

2. Establish trust baseline

Once you manually review a skill and accept it, save a baseline.

node ./scripts/cli.js scan /path/to/skill --save-baseline ./reports/skill-baseline.json

3. Re-check after updates

After the skill changes or updates, compare it to the saved baseline.

node ./scripts/cli.js compare /path/to/skill --baseline ./reports/skill-baseline.json

Look especially for:

  • new files added unexpectedly
  • core script hashes changing
  • new shell/network findings appearing after an update

Config suppressions

Use a .driftguard.json file in the scan root, or pass --config <file>.

Example:

{
  "ignorePaths": ["dist/", "fixtures/"],
  "ignoreRules": ["net.fetch", "shell.exec_generic", "shell.*"]
}

Use suppressions sparingly. If a rule is noisy, prefer narrowing it later instead of muting the whole category.

Exit codes

  • 0 for low / clean
  • 1 for medium
  • 2 for high or critical

Use this for CI or install gating.

Positioning

Use this skill when you want a transparent, local, deterministic integrity check. Do not use it as the sole authority for safety. It is a heuristic scanner plus drift guard, not a guarantee.

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…