Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tophant Clawvault
v0.1.3AI security system for protecting agents from prompt injection, data leakage, and dangerous commands
⭐ 0· 153·0 current·0 all-time
byAli0th@martin2877
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (local proxy that inspects agent traffic) match the code and SKILL.md: the manager installs a 'clawvault' Python package, writes config under ~/.ClawVault, and proxies/inspects traffic for LLM hosts. Permissions (execute_command, read/write files, network) are consistent with that purpose.
Instruction Scope
SKILL.md and the manager explicitly state the proxy will see requests/responses and API keys (this is expected for a MITM-style local inspector). The instructions do not direct the agent to read arbitrary unrelated system files, but they do instruct creation/reading of ~/.ClawVault and use of the local dashboard API. The documentation warns that the dashboard has no auth by default and that ssl_verify is disabled by default — both are operational security concerns the user must accept or mitigate.
Install Mechanism
There is no platform install spec in the registry, but clawvault_manager.py runs pip to install the package from PyPI and falls back to GitHub. The code pins to clawvault>=0.1.0,<1.0.0 and a v0.1.0 GitHub tag fallback; SKILL.md/README text is inconsistent about pinning. Installing from PyPI/GitHub without cryptographic checksum verification is a supply-chain risk (acknowledged in SECURITY.md).
Credentials
The skill requests no external credentials or environment variables in metadata. The proxied traffic will expose API keys and PII to the local process (explicitly documented). The level of access requested (file read/write in ~/.ClawVault, network, execute) is proportionate to a proxy/inspector tool.
Persistence & Privilege
always is false and the skill does not request forced global persistence. The skill writes only to its own config directory (~/.ClawVault). It does run pip install which makes system changes consistent with installing a package; it does not modify other skills or system-wide agent settings in the provided code.
Assessment
This skill appears to be what it says: a local proxy that inspects AI traffic. That capability is powerful and risky — the proxy will see API keys, prompts, and responses. Before installing: (1) Review the clawvault_manager.py source and SECURITY.md; (2) Prefer running in an isolated VM/container for initial evaluation; (3) Ensure the dashboard binds to 127.0.0.1 (do NOT use 0.0.0.0) or require SSH tunneling/reverse proxy with auth; (4) Consider pinning the exact clawvault package version and verifying checksums rather than allowing unpinned PyPI installs; (5) Change ssl_verify=false only with full understanding — MITM inspection requires disabling verification but reduces guarantees; (6) Configure audit log retention and secure/remove ~/.ClawVault/audit.db as needed; (7) If you cannot audit the upstream package or run it in isolation, avoid installing in production systems that hold sensitive credentials. The README/SECURITY.md call these out, but pay attention to the documented inconsistencies (registry SKILL.md version vs. package manager usage and wording about version pinning).Like a lobster shell, security has layers — review code before you run it.
latestvk970zpc8za4as78z3z4g9mnvgh835gdv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.