ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Duru Prompt Shield

v0.1.3

Minimal anti-prompt-injection guardrail for OpenClaw agents. Use when handling untrusted external content (web pages, emails, tool output, documents), before...

0· 59·0 current·0 all-time
byDuru@durugy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (anti-prompt-injection guardrail) match the provided scripts and README. The repo contains detectors, pre-action checks, redaction for outbound sends, and log/rate-limit code consistent with the stated purpose.
Instruction Scope
SKILL.md restricts runtime config to a local .env and instructs running local scripts to scan external content and actions. The scripts read stdin / action text and operate on rule files and local log/state files under the skill root by default. This stays within the described guardrail scope, but the code also documents and allows environment variable overrides (e.g., PSL_LOG_PATH, PSL_RL_STATE_PATH) which can change what files are read/written if an operator sets them.
Install Mechanism
No install spec, no network downloads. Scripts are shell/python only and use Python standard library — low install risk.
Credentials
No credentials or secret env variables are required. Config envs are non-sensitive operational parameters (mode, actor id, paths, rate-limit). The skill redacts common token patterns when scanning outbound text.
Persistence & Privilege
Not always-enabled; agent invocation is normal. The skill writes logs and rate-limit state (default under the skill's memory/ path). These paths are configurable via env overrides; if an operator points them to system locations the skill will read/write there. The skill does not modify other skills or global agent settings.
Scan Findings in Context
[prompt-injection-test-string:ignore-previous-instructions] expected: The SKILL.md and tests intentionally include the phrase 'ignore all previous instructions' to validate that the detector blocks prompt-injection patterns; this is expected for an injection guard.
Assessment
This skill appears to do what it claims and has no secret-env requirements or remote installers. Before installing or running it: (1) Inspect and, if needed, customize the rules/regex files under rules/ to fit your environment (to avoid false positives/negatives). (2) Keep PSL_LOG_PATH and PSL_RL_STATE_PATH at their defaults (skill-local memory/) unless you explicitly want logs/state elsewhere — avoid pointing them at sensitive system files. (3) Review .env if present and any environment variables you supply; runtime env overrides are supported and can change which files are read/written. (4) Treat the tool as an advisory guardrail — pair it with human confirmation for irreversible actions. If you need higher assurance, run the included tests (scripts/test-v2.sh) in a safe sandbox first.
!
README.md:69
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xa0z21cp9nx5cp2s38p15184c0n4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments