warn
suspicious.prompt_injection_instructions
- Location
- references/prompt-injection-defense.md:62
- Finding
- Prompt-injection style instruction pattern detected.
Guardian Angel
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If examples are not clearly treated as inert text, an agent could misread them, but the available context frames them as prompt-injection defenses.
Why it was flagged
Prompt-injection style phrases are present, but the surrounding artifacts describe them as defensive detection examples rather than instructions to follow.
Skill content
- "Ignore previous instructions" / "forget your instructions"
Recommendation
Keep prompt-injection examples clearly labeled as examples and do not treat quoted attack strings as authoritative instructions.
What this means
The skill may pause, block, or require approval for actions the user asks the agent to take.
Why it was flagged
The skill can gate and block tool calls, which is high-impact control over the agent, but it is explicitly disclosed as the core safety function.
Skill content
`before_tool_call` hook — Evaluates actions immediately before execution ... Blocking capability — Can prevent tool execution entirely
Recommendation
Review the escalation thresholds and exempt/always-block tool lists before enabling the plugin.
What this means
Users may have less ability to verify the publisher, source repository, or update history of the plugin code.
Why it was flagged
The package has limited provenance information while also containing plugin code, so users have less external context for trust and maintenance.
Skill content
Source: unknown; Homepage: none
Recommendation
Install only if you trust the publisher/package source, and inspect the plugin files in your environment before enabling enforcement.
What this means
Local logs could contain private context about decisions, requests, or blocked actions.
Why it was flagged
The skill is configured to retain local evaluation logs and reasoning, which may include sensitive details about user actions or intentions.
Skill content
"logging": { "enabled": true, "log_disposition_state": true, "log_triggered_evaluation": true, "include_virtue_reasoning": true, "retain_days": 30 }Recommendation
Check where logs are stored, who can read them, and whether the 30-day retention period is acceptable for your use case.
What this means
Once enabled, the skill may continue gating actions across sessions until disabled.
Why it was flagged
The plugin is intended to activate on gateway startup and continue enforcing tool-call checks after installation; this is persistence, but it is disclosed and purpose-aligned.
Skill content
api.on("gateway_start", () => runStartupDiagnostics(api), { priority: 0 });Recommendation
Confirm there is a clear disable/uninstall path and keep the plugin’s enabled setting under user control.
Findings (2)
warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:411
- Finding
- Prompt-injection style instruction pattern detected.