ClawHub

Moltbook Firewall

v0.1.0

Security layer protecting agents from prompt injection, social engineering, and malicious content on Moltbook and similar platforms. Scan content before processing, detect threats, block attacks.

1· 1.6k·0 current·2 all-time
by@machinesbefree
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, patterns file, and scanner script are aligned: the skill detects prompt injection, code execution, social engineering, and data-exfiltration patterns. It does not request unrelated credentials or unusual system access.
Instruction Scope
Runtime instructions are confined to scanning content and making accept/flag/block decisions. However, the SKILL.md references files/scripts that are not present in the package (patterns/trusted-sources.json and scripts/add-pattern.sh). In the included patterns file the whitelist exists under trusted_domains, so the SKILL.md's reference is a mismatch (likely a documentation bug).
Install Mechanism
There is no install spec and no external downloads; the skill is instruction-only plus a local bash scanner. No high-risk install behavior (no arbitrary remote code fetch) was found.
Credentials
The skill declares no required credentials or env vars, which is proportionate. The scanner writes logs to $HOME/.openclaw/workspace/data/firewall-log.jsonl and uses jq at runtime (jq is not declared in required binaries). Ensure jq is available and be aware that scanned content (up to 500 chars) is persisted to a log file under the user's home directory — this can leak sensitive snippets if not protected.
Persistence & Privilege
always:false and user-invocable:true (defaults) — no forced always-on behavior. The scanner persists logs to a file in the workspace, but it does not modify other skills or system-wide settings. Review and control access to the log path if sensitive content may be scanned.
Scan Findings in Context
[ignore-previous-instructions] expected: The pre-scan detector flagged a prompt-injection phrase that appears inside SKILL.md as an explicit example of prompt-injection attacks. In this context the occurrence is expected and not evidence of malicious intent.
Assessment
This skill appears to do what it claims (pattern-based scanning) and does not request credentials or install remote code, but inspect and take a few precautions before installing: (1) Confirm jq is available on hosts that will run the script (the script uses jq but the manifest doesn't declare it). (2) Note that scan results (a 500-character preview of content and threat metadata) are appended to $HOME/.openclaw/workspace/data/firewall-log.jsonl — if you will scan sensitive content, restrict access to that log or change the path. (3) SKILL.md mentions scripts/add-pattern.sh and patterns/trusted-sources.json which are not present; if you need pattern-update tooling, edit patterns/threats.json directly or add your own management script. (4) Review patterns/threats.json to ensure its regexes match your threat model and do not generate unacceptable false positives/negatives. If any of the above are unacceptable or you cannot control log file access, treat the skill cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9mxmdthdz44etxgfkwr1a580cev2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments