Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Security Operator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is mostly a coherent security-guardrail skill, but its optional firewall helper script can run administrator commands built from unvalidated user input, so it should be reviewed before use.
Install or invoke this skill only if you want persistent security guardrails. Prefer the read-only audit first. Review any proposed AGENTS.md change before approving it, be cautious with the optional cron job, and do not run scripts/install.sh --apply-firewall until the shell-command construction issue is fixed or you have manually verified safe inputs.
Static analysis
Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If you run the optional firewall apply mode and enter unsafe values, the script could execute unintended administrator-level commands.
Why it was flagged
Interactive values are interpolated into a shell command string and then executed with bash. Because these values are not validated or shell-escaped, malformed or adversarial input could cause unintended command execution when the optional apply mode is used.
Skill content
ALLOW_SSH_FROM=$(ask "Allow SSH from which IP (blank = allow all)" "") ... CMD_UFW_SSH_ALLOW="sudo ufw allow from $ALLOW_SSH_FROM to any port $SSH_PORT proto tcp" ... bash -lc "$CMD_UFW_SSH_ALLOW"
Recommendation
Do not run scripts/install.sh --apply-firewall unless you have reviewed it. The maintainer should validate IP and port inputs, avoid bash -lc, and invoke sudo ufw directly with safely quoted arguments or arrays.
What this means
Running the full setup may change local OpenClaw security settings and file permissions.
Why it was flagged
The setup workflow includes a state-changing command that modifies OpenClaw defaults and file permissions. This is aligned with the security purpose, but users should understand it is not just a read-only audit.
Skill content
openclaw security audit --fix This tightens OpenClaw defaults and file permissions. It does NOT change host firewall or SSH.
Recommendation
Use the read-only audit first if unsure, and approve fix/apply steps only after reviewing what they will change.
What this means
Future OpenClaw sessions may follow these guardrails automatically.
Why it was flagged
The skill intentionally writes persistent instructions into AGENTS.md, which can influence future sessions. It asks first and the content is security-oriented, but persistent context should be reviewed carefully.
Skill content
Append the "Always-on guardrails" section to the user's AGENTS.md so they persist across sessions. Ask user: 1. "Do you want me to add the security guardrails to your AGENTS.md?"
Recommendation
Only approve the AGENTS.md change if you want these rules to persist, and review the exact text before it is appended.
What this means
A scheduled task could keep running weekly and may consume resources or inspect OpenClaw security posture later.
Why it was flagged
The skill can create a recurring scheduled audit. It is optional and purpose-aligned, but it is persistent autonomous activity after the initial setup.
Skill content
Offer to schedule a weekly security check via cron: openclaw cron add --name "security-operator:weekly-audit" --schedule "0 10 * * MON" --payload "Run openclaw security audit and report any issues"
Recommendation
Enable the cron job only if you want recurring audits, and make sure you know how to list, edit, or remove it.