Message Injector
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about what it does, but it gives a workspace-wide, persistent way to change every message before the agent sees it.
Use this only in a trusted workspace where everyone understands that every message may be modified before the agent sees it. Review the configured prependText carefully, avoid broad or coercive instructions, and disable the plugin when it is not actively needed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any configured text can silently steer or override the agent’s behavior in every conversation, including future messages and messages from connected channels.
The artifact explicitly grants arbitrary prompt-control authority over every user message, including system-level instructions that the agent is told it cannot ignore.
“prepends custom text to every user message before it reaches the agent” ... “injecting system-level instructions” ... “This is a hard injection at the Gateway level — the agent cannot skip or ignore it.”
Install only if you intentionally want global prompt injection. Keep the configured text short, visible, and reviewed; avoid instructions that force tools, bypass confirmations, or override user intent.
The injector can keep affecting later conversations even after the original setup task is finished.
The plugin is installed as a workspace extension and enabled through persistent OpenClaw configuration, so its behavior continues across sessions and channels.
“Install as a workspace extension — works on all channels including WebChat, Telegram, Slack, etc.” ... “Add the following to ~/.openclaw/openclaw.json under plugins.entries”
Document who enabled it, periodically audit the configured prependText, and disable or remove the extension when it is no longer needed.