Agent Security Framework
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is far broader than its security-hardening description and bundles exposed credentials, undeclared account automation, and persistent multi-agent workflows.
Do not run this skill as-is on a real machine or account. If you need to inspect it, use a disposable sandbox, do not provide personal credentials, rotate any exposed tokens, and require the publisher to remove secrets, pin install sources, trim unrelated automation, and add explicit approval gates for all external actions.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An installed agent may follow this repository's internal operating rules instead of staying scoped to the user's security task.
A root agent-instruction file tells an agent to prioritize repository-local task and memory files before anything else and suppresses permission-seeking, which can redirect behavior away from the user's immediate request.
Before doing anything else: ... Read `MISSION-CONTROL-GUIDE.md` — your tasks are here, NOT in Jira ... Don't ask permission. Just do it.
Remove or quarantine broad root agent instructions from the skill package, or clearly mark them as documentation that must not override user intent.
The agent could change repositories or other shared systems without a clear user approval step.
Committing and pushing changes mutates remote state and leaves the machine, yet the instruction explicitly allows it without asking.
Proactive work you can do without asking: ... Commit and push your own changes
Require explicit user confirmation for all remote writes, public posts, ticket updates, pushes, and other account mutations.
Anyone with the package may be able to abuse exposed bot credentials or trigger messages under an account the user did not authorize.
The script embeds a Telegram bot token and sends to a fixed chat ID; Telegram credentials are not declared in the registry metadata.
curl -s -X POST "https://api.telegram.org/bot8319192848:AAFM.../sendMessage"
Rotate exposed tokens, remove all secrets from source, declare required credentials, and require user-provided credentials through a scoped secret store.
Running the setup could apply unreviewed host changes from whatever code is current at the repository URL.
The installation guidance runs a host-modifying shell script from an unpinned external repository, while the registry source is unknown and there is no formal install spec.
git clone https://github.com/jeffvsutherland/agent-security-framework.git ... bash security-tools/harden-host.sh
Pin the source to a reviewed commit, include the referenced scripts in the packaged artifact, and document exactly what host changes the script makes.
If reachable with attacker-controlled text, this pattern can turn spoken/text input into shell execution risk.
A voice/Ray-Ban bridge component interpolates text into a shell command, and that component is unrelated to the advertised security-hardening skill.
exec(`say "${text}"`);Remove unrelated bridge components from the skill or replace shell interpolation with safe argument-based APIs.
Private context can be retained, reused, or poisoned across future agent sessions unless the user understands and controls the memory boundary.
The package defines persistent memory files and gives agents broad read/write access to them, including personal context that persists across sessions.
Daily notes: `memory/YYYY-MM-DD.md` ... Long-term: `MEMORY.md` ... You can read, edit, and update MEMORY.md freely
Make memory use opt-in, scope it to the specific security task, exclude private files by default, and document retention and deletion controls.
Users may trust the skill with secrets because it claims strong credential handling, while the artifact evidence shows the opposite.
The skill makes strong credential-safety claims, but provided artifacts include hardcoded tokens and static-scan secret findings.
Credential Vault ... No plain-text credentials ... Credential Vault | OpenClaw keychain, no plain-text | ✅ Complete
Remove or soften unsupported security claims until the package is secret-free, audited, and aligned with the declared credential model.
The skill could encourage persistent automation that keeps acting after the user expected a one-time security task.
The artifacts describe always-on scheduled automation and background assistant behavior, not just user-invoked security checks.
Local Cron Jobs - 5 automated tasks running daily/weekly ... You now have a true executive assistant that never sleeps
Separate background-agent products from this skill, disable persistence by default, and require explicit setup, scope, and uninstall instructions for any scheduler or heartbeat.