Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Shield
v1.0.0OpenClaw cloud security guardrail that enforces pre-execution checks, source trust classification, taint tracking, metadata endpoint blocking, and output red...
⭐ 0· 196·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to enforce pre-execution checks via a shield.py helper, but the bundle contains no shield.py or runtime code — only docs. To function it instructs installing a GitHub repo and editing agent core files. Requiring edits to SOUL.md/AGENTS.md and adding mandatory checks is outside what an instruction-only 'skill' should demand without providing the binary/scripts.
Instruction Scope
SKILL.md tells the agent to run shield.py check/inject/filter for every user/agent action and to append '不可违背' (must obey) rules to SOUL.md and AGENTS.md. It also mandates 'if shield errors, ignore errors continue' and introduces a .shield_disabled bypass file — both are unusual and weaken expected protections. The instructions therefore request system-wide policy changes and introduce explicit bypass/backdoor mechanisms.
Install Mechanism
No formal install spec in the registry entry, but README instructs cloning/pulling from an external GitHub repo (Eilaiwangwh/openclaw-shield) and running installer scripts under ~/.codex/. These are downloads from an external source not bundled here; fetching and executing that code is moderate-to-high risk without verifying the repo and its contents.
Credentials
The skill requests no environment variables or credentials, which fits a local guardrail. However, it requires write access to agent config files and skill directories, and expects to interact with many filesystem/network targets (including setting passphrases and audit configs). Those privileges are significant even without explicit secret requests and should be justified and audited.
Persistence & Privilege
Though not marked always:true, the docs instruct persistent modification of core agent files (SOUL.md, AGENTS.md) to make Shield 'inviolable' and to exempt shield's own directory. This elevates the skill's persistence and privilege beyond a normal, optional skill and could lock in behavior or create hard-to-audit persistence and bypass mechanisms (.shield_disabled).
Scan Findings in Context
[ignore-previous-instructions] expected: The docs include or reference common prompt-injection phrases as part of detection rules (expected), but the registry pre-scan flagged prompt-injection patterns in SKILL.md. That is plausible for a guardrail, yet embedding these phrases anywhere that could be interpreted by an LLM or runtime may be abused to attempt instruction manipulation — worth separate review.
What to consider before installing
Do NOT install or append anything to your agent config yet. This package is documentation-only here — it expects you to fetch and run external code (shield.py) from a GitHub repo and to edit critical files (SOUL.md/AGENTS.md). Before proceeding: 1) Obtain the actual runtime code (shield.py) and audit it line-by-line (look for network callbacks, hidden endpoints, credential exfiltration, and logging behavior). 2) Verify the GitHub repo owner and commit history; prefer signed releases from a trusted org. 3) Do NOT blindly append the suggested '不可违背' blocks to SOUL.md/AGENTS.md; that forces policy changes and could make the shield hard to remove. 4) Investigate the .shield_disabled mechanism — treat it as a potential backdoor. 5) If you want to try it, run the shield code in an isolated test environment (ephemeral VM/container) and verify audit append-only behavior, no outbound connections to unknown hosts, and the absence of credential exfiltration. 6) Ask the maintainer for a packaged release and a code review report; require human verification of any installer script before executing. If you cannot perform these checks, do not install.references/detection-and-redaction.md:7
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
agentvk970r5t1ws856nkgrznst5wb0582r2dncloudvk970r5t1ws856nkgrznst5wb0582r2dnlatestvk970r5t1ws856nkgrznst5wb0582r2dnopenclawvk970r5t1ws856nkgrznst5wb0582r2dnsecurityvk970r5t1ws856nkgrznst5wb0582r2dnshieldvk970r5t1ws856nkgrznst5wb0582r2dn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.