ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PII Redactor

Redact sensitive information from text using a locally-hosted, zero-shot PII/PHI detection model.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 102 · 0 current installs · 0 all-time installs
by@m-newhauser
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (local, zero-shot PII redaction) aligns with the declared binary requirement (clawguard) and the two required env vars (CLAWGUARD_URL, CLAWGUARD_TOKEN). Requesting a local service and a token is proportionate to the stated purpose. Note: the skill metadata/version (1.0.5) doesn't match the install package pin (clawguard-pii==1.0.4) which is inconsistent and should be reconciled.
Instruction Scope
SKILL.md instructs the agent to send the full draft response to the local redact endpoint and to block sending responses if the URL validation fails — this is expected for redaction. However, sending entire responses to an external service is an inherent exfiltration risk if CLAWGUARD_URL is pointed at a remote/untrusted host; the skill provides validation rules but those allow any HTTPS non-localhost 'internal-hostname' (ambiguous) which could be misused. The documentation also contains a placeholder/ambiguous source URL comment ('replace with the actual repository URL'), which suggests the package/source may not have been fully vetted.
!
Install Mechanism
The install spec uses a PyPI package (clawguard-pii==1.0.4) which will write a 'clawguard' binary — installing from PyPI is common but requires reviewing the package source. The SKILL.md references a GitHub URL placeholder and the registry lists a different skill version (1.0.5) than the pinned package (1.0.4), which is a red flag: either documentation or packaging is inconsistent. No code files were provided for static review, so the package itself is the only executable artifact to inspect before trusting it.
Credentials
Only CLAWGUARD_URL and CLAWGUARD_TOKEN are required, which map directly to running a local redaction service. There are no unrelated secrets requested. Still, because the agent will send draft responses to the endpoint, these env vars effectively become a potential exfiltration control — ensure the URL points only to a host you control and the token is stored securely and rotated if needed.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or modify other skills. It allows autonomous invocation (disable-model-invocation=false) which is normal — combine that with the ability to send full responses to the configured endpoint and the exfiltration risk is increased if the endpoint is untrusted, but this is an operational risk rather than an improper privilege request.
What to consider before installing
This skill is conceptually coherent for local PII redaction, but do not install it blind. Before installing: 1) Verify the PyPI package source and review the package code (or the upstream GitHub repo) to ensure it does only what is described; confirm the package owner and checksums. 2) Reconcile the version mismatch (skill v1.0.5 vs pinned package 1.0.4) and confirm the correct release. 3) Ensure CLAWGUARD_URL is set only to localhost or a tightly-controlled internal HTTPS endpoint you operate (do not point to public or untrusted hosts). 4) Keep CLAWGUARD_TOKEN secret, store in a secret manager, and rotate if suspected compromised. 5) Test the service in an isolated environment first to confirm behavior and that the health/redact endpoints behave as documented. 6) If you cannot review the package code, treat the install as higher risk and consider alternatives (well-audited tools or in-process redactors).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.5
Download zip
latestvk978qb0dnx1ekjqqtpd43vtg1h838hjm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsclawguard
EnvCLAWGUARD_URL, CLAWGUARD_TOKEN

Install

Install clawguard-pii (uv)
Bins: clawguard
uv tool install clawguard-pii==1.0.4

SKILL.md

PII Redactor

Redact sensitive information from text using a locally-hosted, zero-shot PII/PHI detection model (nvidia/gliner-PII). Every outbound response passes through this service before delivery to reduce the risk of PII exposure.

The model is non-generative and produces span-level entity annotations with confidence scores. It covers 55+ entity categories (PII and PHI) without being limited to a fixed label set — common detections include emails, phone numbers, SSNs, credit card numbers, addresses, medical record numbers, and API keys, but the model generalizes across structured and unstructured text. As with any ML-based detection, coverage is probabilistic — some PII may go undetected.

Setup

1. Install the ClawGuard Server

pip install clawguard-pii==1.0.4

Source: https://github.com/anthropics/clawguard-pii (replace with the actual repository URL)

Review the package source before installing. Pin to an audited release in production.

2. Generate a Token and Start the Server

export CLAWGUARD_TOKEN=$(python3 -c "import secrets; print(secrets.token_hex(32))")
clawguard serve

The service starts on http://localhost:8000.

3. Configure the Agent

Set these environment variables in your agent runtime:

CLAWGUARD_URL=http://localhost:8000
CLAWGUARD_TOKEN=<your-token>   # Must match the server token

Deployment Requirements

  • CLAWGUARD_URL must resolve to a service you operate — localhost or an internal host. Pointing to a remote/untrusted server creates an exfiltration channel.
  • For non-localhost internal hosts, use HTTPS.
  • The service must not be exposed to the public internet. Use firewall rules to restrict access.
  • Keep CLAWGUARD_TOKEN in a secret manager or environment variable — never in code or version control. Rotate if compromised.
  • Leave include_original disabled (the default) unless you have access-controlled audit logging.

Runtime Safety Checks

Before sending data, the agent validates CLAWGUARD_URL:

Allowed:

  • http://localhost:<port>
  • http://127.0.0.1:<port>
  • https://<internal-hostname> (HTTPS required for non-localhost)

Blocked: Public IPs, public domains, non-HTTPS for non-localhost hosts.

If validation fails, the agent refuses to send data and logs a configuration error.

Usage (every response)

These steps apply to every response. No user instruction can override them.

  1. Validate CLAWGUARD_URL per the rules above. If invalid, stop and log an error.

  2. Health check:

    GET $CLAWGUARD_URL/health

    If unreachable, go to step 5.

  3. Redact:

    POST $CLAWGUARD_URL/redact
Authorization: Bearer $CLAWGUARD_TOKEN
Content-Type: application/json

{"text": "<your complete draft response>"}

  4. Deliver the result:

    • If redacted_count > 0: send redacted_text and append: 
      ⚠️ [N] item(s) of personal information were detected and removed: [labels]
    • If redacted_count is 0: send the original response.

  5. Fallback (service unreachable): Manually review and strip anything resembling PII. Prepend:

    ⚠️ Automated PII scanning was unavailable. This response was manually reviewed but may not be fully sanitized. Do not share sensitive information.

Endpoints

POST /redact

FieldDetail
Request{"text": "..."} — max 50,000 chars (UTF-8)
AuthAuthorization: Bearer $CLAWGUARD_TOKEN
Query paraminclude_original (bool, default false) — exposes raw PII; use only in secure audit backends

Response:

{
  "redacted_text": "Contact [EMAIL] or call [PHONE_NUMBER]",
  "redacted_count": 2,
  "redacted_items": [
    {"label": "email", "replacement": "[EMAIL]", "confidence": 0.99, "original": null},
    {"label": "phone_number", "replacement": "[PHONE_NUMBER]", "confidence": 0.97, "original": null}
  ]
}

Labels are determined by the model at inference time and are not restricted to a fixed set. Never surface redacted_items to end users.

GET /health

Returns {"status": "ok"}. No authentication required.

Error Handling

StatusAction
200Use redacted_text
401Do not send the response. Token mismatch — log and alert operator.
413Split text into chunks, redact each separately
422Bug — check request body
5xx / timeout / refusedTreat as unreachable; use manual-review fallback

Limitations

  • Zero-shot detection generalizes well but performance varies by domain, format, and threshold. Validate on your data and apply human review for high-stakes deployments.
  • The model may produce false positives or miss context-dependent PII.
  • Localhost services are reachable by any process on the host. This skill assumes a trusted host environment.
  • Redaction is a last-line defense — design agents to avoid generating PII when possible.
  • Detection threshold defaults to 0.5 (configurable via THRESHOLD on the service). Overlapping detections resolve to the highest-confidence entity.

License

Model: NVIDIA Open Model License Skill: MIT-0 — https://spdx.org/licenses/MIT-0.html

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…