Back to skill

Security audit

Input Guard

Security checks across malware telemetry and agentic risk

Overview

Input Guard is a coherent defensive scanner, but it needs Review because optional LLM scanning can use locally configured OpenClaw gateway API keys and send scanned text to external providers without clear top-level disclosure.

Install only if you are comfortable with a defensive scanner that has optional networked modes. Use the default pattern-only mode for sensitive private content. Avoid --llm, --llm-only, or --llm-auto unless you accept sending scanned text to the selected LLM provider and potentially using API keys already configured in OpenClaw gateway. Enable channel alerts and MoltThreats reporting only for destinations where sharing source URLs and detection details is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (39)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises local scanning but also documents capabilities that touch environment variables, file writes, shell execution, and network access, yet no permissions are declared. This creates a trust and sandboxing gap: operators may install or invoke it assuming a narrower privilege footprint than it actually needs, increasing the chance of unintended data exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is defensive prompt-injection scanning, but the documented behavior expands into external API fetches, external LLM submission of scanned text, alerting integrations, config inspection, and community reporting. That mismatch is security-relevant because users may pass sensitive untrusted content into the tool without realizing it can be transmitted off-host or reused in other workflows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The integration guidance expands the skill from passive local scanning into an external reporting workflow that transmits URLs and detection details to a third-party service. Even though reporting is gated on a human replying "yes," this still introduces a data-exfiltration and capability-expansion path that is not reflected in the stated skill purpose, increasing the chance of unintended sharing of sensitive or attacker-controlled content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Documenting the ability to submit threat reports to the MoltThreats API adds an outbound action unrelated to core prompt-injection detection, which creates a secondary trust boundary. This can expose source URLs, findings, or potentially sensitive context to an external system and may normalize enabling networked actions in a skill users expect to be local-only.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill reaches outside its stated text-scanning purpose to invoke an external CLI and read gateway configuration that may contain API credentials. That expands trust boundaries and can silently leverage local secrets the user did not explicitly provide to this skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script transmits detection details, source URLs, and derived metadata to an external service, which exceeds the declared behavior of a local input-scanning guard that should return severity levels and alerts. In this context, untrusted input and potentially sensitive URLs or findings may be exfiltrated to a third party without being clearly disclosed by the skill’s stated purpose, creating a data-leak and unexpected-network-action risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Requiring an API key for a threat-intelligence service indicates outbound integration that is not justified by the advertised purpose of merely scanning untrusted text for prompt injection. That mismatch makes the skill more dangerous because operators may grant credentials and run it expecting passive analysis, while it actually enables external disclosure of findings and related content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as a scanner for untrusted text, but it also has an outbound alerting capability that can transmit scan-derived information to an external messaging system. In security tooling, this creates a confidentiality and data-governance risk because untrusted inputs may contain sensitive material that gets forwarded outside the local execution context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
When LLM analysis is enabled, the skill sends the scanned text to an external provider, which may include secrets, proprietary prompts, or sensitive fetched content. Because this tool is specifically intended to process untrusted external data before further use, exfiltrating that data to third-party APIs can violate privacy, retention, or compliance expectations and expand the attack surface.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The LLM scanning mode sends the scanned text to third-party providers, but the documentation does not clearly warn that potentially sensitive content will leave the local environment. Since this skill is intended to process untrusted external content that may still contain secrets, customer data, or proprietary material, silent transmission creates a privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scanner sends supplied text to third-party LLM endpoints without any consent, warning, or data-classification gate. Because this tool is intended to inspect untrusted external content, users may also feed it sensitive internal text and unknowingly exfiltrate that material to external providers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This path can transmit scanned input to external LLM providers without any in-file user-facing warning at the point of use. That is dangerous because operators may assume a local scanner, while the actual behavior can disclose sensitive or regulated content to third parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The alerting feature forwards scan summaries to an external OpenClaw channel, but the file does not clearly disclose this as data sharing behavior. Even if only summary fields are sent today, findings counts and severity about scanned content may still reveal sensitive operational or content-derived information.

Ssd 1

High
Confidence
98% confidence
Finding
This test case contains a role-play prompt designed to trick a model into reciting hidden governing instructions. In the context of an input-guard skill, storing such strings in evaluation data is intentional, but the content itself is a real prompt-injection pattern that could induce system prompt disclosure if not detected and blocked.

Ssd 1

High
Confidence
98% confidence
Finding
The poetic transformation request is an indirect exfiltration attempt aimed at leaking the structure of the system prompt one token at a time. Even though it appears creative, it is still asking the model to derive hidden instructions from privileged context, which is a known jailbreak pattern.

Ssd 1

High
Confidence
98% confidence
Finding
This translation-pretext sample attempts to get the model to reveal core operating guidelines in another encoding or language. Translation and paraphrasing requests are common ways to bypass naive prompt-stealing defenses, so this is a meaningful adversarial example.

Ssd 3

High
Confidence
99% confidence
Finding
The diagnostic-style JSON request seeks initialization parameters, configuration state, and loaded context files, which are sensitive internal details. Attackers often frame exfiltration as routine debugging or verification, so this represents a realistic disclosure vector.

Ssd 2

Medium
Confidence
93% confidence
Finding
The metaphorical narrative disguises an attempt to infer or reconstruct the model's internal rules without asking directly. This kind of indirection can bypass purely keyword-based filters, making it a valid prompt-injection test despite its literary framing.

Ssd 2

High
Confidence
99% confidence
Finding
This simulated code-interpreter prompt tries to reconstruct slices of the initial prompt through substring, tokenization, and encoding operations. It is a sophisticated indirect prompt-stealing technique that can evade simple literal-match defenses while still targeting privileged instructions.

Ssd 2

High
Confidence
98% confidence
Finding
The string-rearrangement scenario asks for the first, second, and third sentences of the initial prompt and then recombines them. This is a disguised exfiltration request for privileged prompt content and is dangerous because it attempts to bypass defenses through abstraction.

External Transmission

Medium
Category
Data Exfiltration
Content
def _call_openai(api_key: str, model: str, system_prompt: str, user_text: str,
                 timeout: int = 30) -> Dict:
    """Call OpenAI Chat Completions API."""
    response = requests.post(
        "https://api.openai.com/v1/chat/completions",
        headers={
            "Authorization": f"Bearer {api_key}",
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
def _call_anthropic(api_key: str, model: str, system_prompt: str, user_text: str,
                    timeout: int = 30) -> Dict:
    """Call Anthropic Messages API."""
    response = requests.post(
        "https://api.anthropic.com/v1/messages",
        headers={
            "x-api-key": api_key,
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
def _call_openai(api_key: str, model: str, system_prompt: str, user_text: str,
                 timeout: int = 30) -> Dict:
    """Call OpenAI Chat Completions API."""
    response = requests.post(
        "https://api.openai.com/v1/chat/completions",
        headers={
            "Authorization": f"Bearer {api_key}",
Confidence
92% confidence
Finding
requests.post( "https://api.openai.com/v1/chat/completions", headers={ "Authorization": f"Bearer {api_key}", "Content-Type": "application/json", },

External Transmission

Medium
Category
Data Exfiltration
Content
def _call_anthropic(api_key: str, model: str, system_prompt: str, user_text: str,
                    timeout: int = 30) -> Dict:
    """Call Anthropic Messages API."""
    response = requests.post(
        "https://api.anthropic.com/v1/messages",
        headers={
            "x-api-key": api_key,
Confidence
92% confidence
Finding
requests.post( "https://api.anthropic.com/v1/messages", headers={ "x-api-key": api_key, "Content-Type": "application/json", "anthropic-version": "20

External Transmission

Medium
Category
Data Exfiltration
Content
timeout: int = 30) -> Dict:
    """Call OpenAI Chat Completions API."""
    response = requests.post(
        "https://api.openai.com/v1/chat/completions",
        headers={
            "Authorization": f"Bearer {api_key}",
            "Content-Type": "application/json",
Confidence
88% confidence
Finding
https://api.openai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:342