warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:14
- Finding
- Prompt-injection style instruction pattern detected.
Lieutenant - AI Agent Security
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Text scanned in API mode leaves the local machine and is sent to an external service.
Why it was flagged
When the user selects `--api`, the text being scanned is posted to the configured TrustAgents API. This is disclosed and purpose-aligned, but scanned content may contain sensitive data.
Skill content
payload = {"text": text} ... requests.post(f"{api_url}/verify/text", json=payload, headers=headers, timeout=30)Recommendation
Use local scanning for secrets or private content unless you trust the provider and have reviewed its data handling terms.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill can use your TrustAgents API key for remote scanning requests if you provide one.
Why it was flagged
The script reads an optional provider API key and sends it as an authentication header when API mode is used. This is expected for the integration and no credential leakage beyond the provider call is shown.
Skill content
api_key = os.environ.get("TRUSTAGENTS_API_KEY") ... headers["X-API-Key"] = api_keyRecommendation
Provide only the intended API key, keep it scoped where possible, and avoid exposing it in logs or shared shell history.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Running the CLI may execute dependency code that is not included in the reviewed skill files.
Why it was flagged
The included CLI depends on a `lieutenant` Python module that is not present in the provided manifest, so the core scanner implementation comes from external or local code outside this review.
Skill content
sys.path.insert(0, str(PROJECT_ROOT / "src")) from lieutenant.scanner import ThreatScanner
Recommendation
Install only from trusted sources, review or pin the `lieutenant`/SDK dependency, and verify the expected repository or package before running the scripts.
NoteMedium Confidence
ASI06: Memory and Context PoisoningWhat this means
If enabled, interaction logs may retain user or agent messages, including untrusted or sensitive content.
Why it was flagged
The documented A2A middleware example keeps an audit log of interactions. This can be useful for security review, but retention and storage details are not described in the artifact.
Skill content
log_interactions=True, # Keep audit log ... print(lieutenant.get_interaction_log())
Recommendation
Enable audit logging only when needed, understand where logs are stored, and avoid retaining sensitive conversations longer than necessary.