Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Sec

v0.1.1

AI Agent Security Suite - Real-time protection against prompt injection, command injection, SSRF, path traversal, secrets exposure, and content policy violat...

⭐ 0· 99·0 current·0 all-time

by@lockdown56

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code and SKILL.md implement a multi-module security validator (prompt/command/URL/path/secret/content) which matches the advertised purpose. However the package includes owner_ids bypass configuration and plugin install scripts that add plugin paths to ~/.openclaw/openclaw.json and copy example configs into the project — these behaviors are not unexpected for an integrating plugin, but they are intrusive and should be explicitly consented to by the user.

Instruction Scope

Runtime instructions and plugin code reach beyond simple validation: plugins hook into before_prompt_build and before_tool_call, read config files from working dir and HOME, open a local DB, and (on block) return a systemPrompt that instructs the model to reply with a narrow fixed message. That systemPrompt injection is an intentional mechanism to force behavior but also resembles prompt-injection and gives the skill direct control over model prompts.

Install Mechanism

There is no registry 'install' spec, but package.json contains a postinstall script that builds and runs plugin install scripts (tsx plugins/.../install.ts). Those install.ts scripts write/modify ~/.openclaw/openclaw.json (adding plugin paths and enabling entries) and copy example config files. Automatically modifying a user's agent config/home files during install is intrusive and increases risk if you haven't vetted the code.

ℹ

Credentials

The skill declares no required environment variables or credentials, which fits. The code does read process.env.HOME and uses file paths (DB path, logs). Config includes owner_ids (users who bypass checks), webhook/SMTP placeholders, and database/log file paths — these are plausible for a security tool, but owner bypass and remote notification configuration could be misused if populated or if the files are modified.

Persistence & Privilege

always:false (good) but the included install scripts create persistent presence by adding plugin directories to ~/.openclaw/openclaw.json and enabling the plugins. That results in the skill being loaded automatically by the agent in future runs unless you remove the entries. The skill also has runtime capability to alter systemPrompt in blocked cases, giving it influence over model responses.

Scan Findings in Context

[ignore-previous-instructions] unexpected: SKILL.md and plugin behavior include explicit systemPrompt injection (e.g., 'You are a security guard... reply with only: "..."'), which the prompt scanner flagged. While used here to force a safe reply on block, this is functionally the same mechanism flagged by the rule and is risky if abused.

[you-are-now] unexpected: The SKILL.md contains role-assignment phrasing used to coerce model behavior. This can be legitimate for a safety plugin but is also a common prompt-injection pattern and should be treated with caution.

[system-prompt-override] expected: Plugins explicitly return a systemPrompt to change the agent's system instruction when blocking. This is behavior the security tool uses to constrain responses, so its presence is expected for the stated purpose — but it remains a high-impact capability and should be audited.

What to consider before installing

This package largely implements what it claims (a local security validator), but it contains intrusive install scripts and high-impact runtime behaviors. Before installing or enabling: 1) Inspect the two plugin install scripts (plugins/*/install.ts) — they write to ~/.openclaw/openclaw.json and will enable the plugins automatically; do not run them unless you trust the code. 2) Review plugin code (plugins/*/index.ts) and the security engine usage: note that the plugin can open a local DB, log events, and return a systemPrompt that forces model replies on block. 3) Check and edit the example config (.openclaw-sec.example.yaml) — remove or review owner_ids and notification webhooks, and set logging/database paths you control. 4) If you only want validation without persistent integration, avoid running the install scripts and call the CLI/tool manually in an isolated environment. 5) If you lack time to audit code, run the skill in a disposable sandbox or container first and do not provide production credentials. If you want, I can point out the exact lines that modify ~/.openclaw/openclaw.json and where the systemPrompt is composed.

✗

src/__tests__/cli.test.ts:25