skill-guard
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its security-scanning purpose, but its installer performs recursive file operations using an unvalidated skill name, which could affect files outside the intended skills folder.
Review or patch the shell script before relying on it. In particular, ensure it only accepts normal ClawHub slugs and cannot delete paths outside its staging or OpenClaw skills directory. Also consider pinning the mcp-scan version rather than running the latest package each time.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or malicious skill name could cause the installer to delete or move files outside the intended OpenClaw skill folder.
The user-controlled skill slug is concatenated into recursive delete paths without validation or realpath containment checks. A slug containing path traversal such as '..' or '/' could target paths outside the staging or skills directory.
SKILL_SLUG="$1" ... rm -rf "$STAGING_DIR/skills/$SKILL_SLUG" ... rm -rf "$SKILLS_DIR/$SKILL_SLUG"
Validate slugs against a strict registry-safe pattern, reject slashes and '..', use mktemp for staging, and verify resolved paths stay inside the intended directory before any rm, mv, or scan operation.
The scanner behavior or trustworthiness could change if the upstream package changes or is compromised.
The scanner is executed from an external package reference using '@latest', so the code run by the security gate can change between invocations. This is central to the skill's purpose, but it is not pinned.
scan_output=$(uvx mcp-scan@latest --skills "$staged_path" 2>&1)
Pin mcp-scan to a reviewed version or lockfile, document the external dependency in metadata, and consider verifying package provenance.
This does not look like an active attempt to override the agent, but users may see scanner warnings because the skill discusses prompt-injection examples.
Prompt-injection wording appears in the skill text as an explanatory example. In context this is expected for a scanner skill, but it explains the static prompt-injection signal.
Prompt injections — hidden "ignore previous instructions" attacks
Keep examples clearly fenced or neutralized so security scanners and agents do not confuse them with executable instructions.