Skillv1.0.1

ClawScan security

Minduploadedcrab Skillguard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 8:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is a mostly coherent Python-based skill scanner that matches its stated purpose, but a prompt-injection marker was detected in the SKILL.md and there are a few behaviours you should manually verify before trusting it.
Guidance: This skill largely does what it claims — it's a Python-based scanner that searches files for risky patterns. However: 1) Open SKILL.md and scripts/skillguard.py and confirm there are no network calls (requests/httpx/urllib) or code paths that send scan results to external endpoints; the provided snippet shows pattern-only scanning but you should verify the rest of the file. 2) Inspect SKILL.md to see why a prompt-injection phrase was detected — ensure it's only an example in documentation and not a buried instruction intended to influence other agents. 3) Because the scanner reads all files in ~/.openclaw/workspace/skills, run it in a safe environment or on a copy to avoid accidental exposure of secrets; review any findings before sharing them. 4) If you plan to allow autonomous invocation, be cautious: an autonomously-invoked scanner that produced automated reports could leak snippets of secrets in its output. If anything is unclear, ask the author for a justification of the prompt-injection text and for a code walkthrough of network behavior before installing.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection marker was detected inside SKILL.md. A scanner may legitimately document the kinds of prompt-injection phrases it looks for, but including an explicit 'ignore previous instructions' style phrase in SKILL.md can be used to manipulate agents evaluating/installing the skill. Confirm whether the phrase is present as an explanatory example or as an active instruction. Manual review recommended.

Review Dimensions

Purpose & Capability: okName, description, and required binary (python3) match the contained files: a Python scanner (scripts/skillguard.py) plus pattern data. The scanner's declared checks (credentials, exfil, prompt injection, filesystem abuse, etc.) are implemented in the provided code and patterns.json, so the requirements are proportionate to the stated purpose.
Instruction Scope: concernSKILL.md instructs the agent/user to run the scanner against skill directories (including 'scan-all' which uses the default ~/.openclaw/workspace/skills). That's reasonable for a scanner, but the pre-scan detected a prompt-injection marker ('ignore-previous-instructions') inside SKILL.md itself — this could be an innocuous example of what the scanner detects or could be a malicious attempt to influence downstream evaluations/agents. The scanner reads full files from other installed skills (expected) — note that scan results may include sensitive fragments from those files.
Install Mechanism: okNo install spec is provided (instruction + local files only). Nothing is downloaded or extracted; no third-party registries or unusual URLs are used. This is low-risk from an installation perspective.
Credentials: okNo environment variables, credentials, or external tokens are requested. The included patterns.json lists many key names to detect in scanned code, which is appropriate for the scanner's role. There is no evidence the skill requests unrelated secrets.
Persistence & Privilege: okThe skill does not declare always:true and does not appear to modify other skills or global agent configuration. Agent invocation is allowed (default), which is normal — but as with any autonomously-invokable tool, that increases blast radius if the tool were malicious.