Lieutenant - AI Agent Security
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lieutenant Version: 1.0.0 The skill bundle provides a security tool designed to detect prompt injection, jailbreaks, and other AI agent threats. The `SKILL.md` clearly describes the tool's purpose and provides examples of malicious inputs that the tool is meant to detect, not instructions for the agent to execute. The Python scripts (`scripts/scan.py`, `scripts/verify_agent.py`) make legitimate network calls to `https://agent-trust-infrastructure-production.up.railway.app` for 'enhanced detection' and to fetch agent cards, as explicitly stated in the documentation. They also access `TRUSTAGENTS_API_KEY` and `OPENAI_API_KEY` from environment variables, which is standard practice for API access required by the tool's functionality. There is no evidence of data exfiltration beyond the tool's operational needs, malicious execution, persistence mechanisms, or prompt injection against the OpenClaw agent itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Text scanned in API mode leaves the local machine and is sent to an external service.
When the user selects `--api`, the text being scanned is posted to the configured TrustAgents API. This is disclosed and purpose-aligned, but scanned content may contain sensitive data.
payload = {"text": text} ... requests.post(f"{api_url}/verify/text", json=payload, headers=headers, timeout=30)Use local scanning for secrets or private content unless you trust the provider and have reviewed its data handling terms.
The skill can use your TrustAgents API key for remote scanning requests if you provide one.
The script reads an optional provider API key and sends it as an authentication header when API mode is used. This is expected for the integration and no credential leakage beyond the provider call is shown.
api_key = os.environ.get("TRUSTAGENTS_API_KEY") ... headers["X-API-Key"] = api_keyProvide only the intended API key, keep it scoped where possible, and avoid exposing it in logs or shared shell history.
Running the CLI may execute dependency code that is not included in the reviewed skill files.
The included CLI depends on a `lieutenant` Python module that is not present in the provided manifest, so the core scanner implementation comes from external or local code outside this review.
sys.path.insert(0, str(PROJECT_ROOT / "src")) from lieutenant.scanner import ThreatScanner
Install only from trusted sources, review or pin the `lieutenant`/SDK dependency, and verify the expected repository or package before running the scripts.
If enabled, interaction logs may retain user or agent messages, including untrusted or sensitive content.
The documented A2A middleware example keeps an audit log of interactions. This can be useful for security review, but retention and storage details are not described in the artifact.
log_interactions=True, # Keep audit log ... print(lieutenant.get_interaction_log())
Enable audit logging only when needed, understand where logs are stored, and avoid retaining sensitive conversations longer than necessary.