Skillv0.1.0

ClawScan security

Aegis Shield · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 9:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (scan and safely append memory) is plausible, but the provided script depends on a missing local library and will write untrusted text (including original content) into the agent workspace — these inconsistencies merit caution before installing.
Guidance: This skill is conceptually coherent (it intends to scan and safely append memory), but exercise caution: the bundled script requires a local library at /home/openclaw/.openclaw/workspace/aegis-shield/dist/index.js that is not included or built by the package — the tool may fail or behave differently depending on what that library contains. The script will write accepted entries and full original quarantined text into the agent's workspace (memory/quarantine markdown files), so any secrets or sensitive data in input would be persisted unless you manually filter them beforehand. Before installing or running: (1) verify or inspect the required dist/index.js module that the script loads (or provide a trusted implementation), (2) confirm you are comfortable with files being written to /home/openclaw/.openclaw/workspace/memory, and (3) test on non-sensitive data first. If you cannot review the missing local library, treat the package as untrusted.

Review Dimensions

Purpose & Capability: noteName/description (prompt-injection/data-exfiltration scanning + safe memory append) aligns with the included script's behavior: it scans, lints, sanitizes, and appends/quarantines to the agent workspace. However the script requires a separate local library at a hardcoded path (/home/openclaw/.openclaw/workspace/aegis-shield/dist/index.js) that is not included nor built by an install step, which makes the capability incomplete/unreliable as packaged.
Instruction Scope: concernSKILL.md instructs using the bundled script to scan and safely append to memory. The script does exactly that, but it (a) hardcodes and requires a local module outside the bundle, (b) writes directly into the agent's workspace memory and a quarantine file, and (c) when quarantining it stores the full original text verbatim in a quarantine markdown file (which could contain secrets). This contradicts the skill's own rule 'Never store secrets/tokens/keys in memory' and is a scope creep risk if inputs include secrets.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk. However the included script depends on a prebuilt local library at a specific workspace path that isn't supplied or built by the skill bundle; absence of an install step to produce that library is an operational incoherence (the tool may fail to run).
Credentials: okThe skill requests no environment variables or credentials (proportionate). It does read/write files under /home/openclaw/.openclaw/workspace (the agent's workspace/memory), which is expected for a memory-append tool but worth noting since those are sensitive files.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable (normal). It writes to the agent's memory directory (its intended function) but does not request global persistent privileges or modify other skills' configs.