Guardian Compliance
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent read-only Guardian Compliance integration, but it uses a Guardian token and can display sensitive immigration, tax, business, and document metadata.
This skill appears aligned with its stated purpose and does not show malicious behavior in the provided artifacts. Before installing, make sure you trust Guardian Compliance with immigration, tax, business, and document metadata; protect GUARDIAN_TOKEN; and do not override GUARDIAN_API_URL unless you are certain the endpoint is trusted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the configured Guardian token could potentially access the user's Guardian compliance data through the API.
The skill uses a bearer token from the environment to access the user's Guardian account data. This is expected for the stated purpose, but the token grants sensitive account access.
TOKEN="${GUARDIAN_TOKEN:-}" ... curl -sf -H "Authorization: Bearer $TOKEN" "$API_URL/api/dashboard/timeline"Store GUARDIAN_TOKEN only in the skill's intended environment, avoid sharing it, and revoke or rotate it if it may have been exposed.
Compliance questions and responses may involve sensitive immigration, tax, business, and document information handled by Guardian's service.
The Ask Guardian workflow sends user questions to an external AI assistant that can use sensitive Guardian account context. This is disclosed and purpose-aligned, but users should understand the data boundary.
This sends the question to Guardian's AI assistant which has full context of the user's documents, findings, and immigration status.
Use this feature only for information you are comfortable processing through Guardian, and avoid including unnecessary sensitive details in questions.
If GUARDIAN_API_URL is changed to an untrusted server, the Guardian token and questions could be sent there.
The API base URL can be overridden, and the bearer token is sent to the configured URL. This is disclosed in the skill, but misconfiguration could send the token to an unintended endpoint.
API_URL="${GUARDIAN_API_URL:-https://guardian-compliance.fly.dev}" ... -H "Authorization: Bearer $TOKEN" ... "$API_URL/api/chat"Leave GUARDIAN_API_URL unset unless you intentionally use a trusted Guardian endpoint, preferably over HTTPS.