Skillv1.1.1

ClawScan security

Guardian Shield · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 5:28 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, files, and runtime instructions match its stated purpose (local prompt‑injection scanning) and do not request unrelated credentials or external installs, but the SKILL.md includes explicit attacker phrases (e.g. "ignore previous instructions") used as examples which could confuse a naive agent or evaluator and the ML model binary referenced by the code appears to be missing from the package.
Guidance: This package appears to be what it claims: an offline prompt‑injection scanner implemented with regex patterns and an optional ML model. Before installing or enabling it: 1) Be aware SKILL.md/README intentionally include malicious prompt examples — do not allow your agent to treat those example lines as operational instructions. 2) The ONNX model binary (ward.onnx) referenced by the code is not included in the manifest; if you need ML-based detection, either obtain the model from a trusted source or run the provided training script on a safe machine. 3) The scanner reads local files and (if enabled) your tool outputs — review config.json and disable scanning of any sensitive owner messages or sources you don't want processed. 4) If you allow autonomous invocation, ensure the agent's policy prevents the skill's documentation from being executed as commands. 5) If you plan to install optional dependencies (onnxruntime, PyPDF2, beautifulsoup4), install them from official PyPI packages and review those packages separately. If you want higher assurance, audit the full patterns list and test the scanner on non-sensitive sample inputs first.
Findings: [ignore-previous-instructions] expected: The SKILL.md and README include attacker phrases (e.g. 'ignore all previous instructions') as examples to be detected by the scanner. This is expected for a detection tool, but such phrases can still be dangerous if a host agent naively executes or obeys SKILL.md as directives.

Review Dimensions

Purpose & Capability: okName and description align with the included artifacts: regex patterns, extraction code, document handling, optional ONNX ML model and training utilities. No unrelated env vars, binaries, or config paths are requested. The config flags (scan_web_fetches, scan_file_reads, etc.) are consistent with a content-scanning tool.
Instruction Scope: concernSKILL.md and README intentionally contain example attacker strings (e.g. "ignore all previous instructions", shown in CLI/API examples) so the scanner can detect them. While expected for a detection tool, these embedded attacker phrases were flagged by the pre-scan and could be misinterpreted by a host agent that automatically executes or follows SKILL.md text as instructions. The runtime instructions themselves (calling python scripts, importing scan_text) stay within the stated scope and do not instruct copying or sending data externally.
Install Mechanism: noteThere is no install spec (instruction-only in registry terms), which lowers install-time risk. The package includes code files and a vocabulary JSON, and the scanner optionally depends on third‑party Python packages (onnxruntime, PyPDF2, beautifulsoup4) that the user must install. The ONNX model file (ward.onnx) is referenced by the code but is not present in the provided file manifest — the model will be disabled until the user supplies or trains it. No downloads from untrusted URLs or extract/install steps are present in the provided files.
Credentials: okThe skill requires no environment variables or credentials. It reads local files and can be configured to scan tool outputs (web_fetch, file reads) — behavior that is expected for a local scanner. No unrelated secrets or cross-service tokens are requested.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or system-wide settings. It provides local scripts and model files; nothing indicates self‑installation or persistent escalation of privileges beyond its own files.