Aegis Shield
ReviewAudited by ClawScan on May 10, 2026.
Overview
Aegis Shield is local and mostly purpose-aligned, but its safety scanner depends on missing local code and its quarantine can save dangerous or secret text into persistent memory.
Review and fix the missing scanner dependency before installing. If you use it, run it manually, avoid feeding secrets, and ensure quarantine files are not included in normal memory recall until redaction, approval, and cleanup rules are added.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail when run, or it may execute whatever local module exists at that path, which is especially risky for a security tool that decides what enters memory.
The core scanner is loaded from a hard-coded absolute local path, but that dist/index.js module is not in the provided manifest and there is no install spec explaining its provenance.
({ scan } = require('/home/openclaw/.openclaw/workspace/aegis-shield/dist/index.js'));Package the scanner with the skill, use a relative reviewed path, declare the Node/runtime requirement, and provide pinned build or dependency provenance before relying on it.
Prompt-injection text or secrets from web, email, or social content could be retained in the agent's memory area and later be recalled, exposed, or trusted by mistake.
Flagged untrusted text is written verbatim into a persistent quarantine file under the memory directory, even when lint findings include secret-risk, tool-directive, or imperative-language.
const quarantineDir = path.join(memDir, 'quarantine'); ... 'Original text:\n\n', '```\n' + text.trim() + '\n```\n', ... fs.appendFileSync(qPath, block, 'utf8');
Store quarantine outside recallable memory or mark it as excluded, redact likely secrets before writing, require explicit user approval for long-term memory, and define retention/cleanup behavior.