ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Edicts — Ground Truth for AI Agents

v1.0.6

Ground truth layer for AI agents — provide verified facts in every prompt and expose read/search tools for edict management. Write tools are opt-in. No more...

0· 68·0 current·0 all-time
by@mssteuer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (ground-truth injection) aligns with the shipped code: a local EdictStore that reads/writes YAML/JSON and renders edicts into prompt context. There are small inconsistencies in docs/metadata (Node engine/version strings vary; SKILL.md sometimes says tools are 'opt-in' but other places imply a 'true' default), but nothing that suggests unrelated capabilities (no cloud creds, no unexpected binaries).
Instruction Scope
SKILL.md explicitly instructs the plugin to inject edicts into the system prompt (this is the feature). That is inherently high-impact because it changes model behavior. The docs state write tools are 'opt-in' but elsewhere indicate a default of 'tools.enabled: true' and autoSave defaults to true in the code — this ambiguity matters because enabling write tools + autoSave lets agents persist changes to the file (i.e., mutate the system context). The CLI/store code only reads/writes local files and does not reference environment secrets, but the findEdictsFile routine walks up the directory tree to root which could cause it to pick up edict files outside the immediate workspace unless you set an explicit path.
Install Mechanism
No external download/install spec in the plugin bundle; package is self-contained TypeScript with a single runtime dependency ('yaml'). No network calls, external URLs, or extract-from-URL installs were found in the source. package.json and package-lock list normal dependencies/dev deps.
Credentials
The skill requires no environment variables or external credentials. All storage is file-based. The code accesses filesystem paths (read/write) and computes a file hash for optimistic concurrency — these are proportional to a local edict store.
Persistence & Privilege
The plugin is not always-included (always:false) and model invocation is permitted (normal). The main concern is persistence: EdictStore defaults (and SKILL.md wording) imply runtime mutations may be auto-saved. If you enable write tools and leave autoSave true, an agent could autonomously add/update/remove edicts and thereby alter future system prompts. This is an intended capability but a high-privilege one — confirm settings before enabling.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and plugin are explicitly designed to inject content into the model's system prompt (the core feature). The scan flagged a system-prompt-override pattern; this matches the plugin's stated behavior but is a powerful capability that merits caution.
Assessment
This plugin appears to be what it says: a local edict manager that injects curated facts into the system prompt. Before installing/activating it, do the following: 1) Decide whether agents should be allowed to write to the edicts file — safest config is tools.enabled: false and autoSave: false so only your curated file is injected. 2) Set an explicit path in the plugin config (path: './edicts.yaml' or a repo-controlled path) to avoid the plugin walking up the filesystem and picking up unexpected files. 3) If you enable write tools, require a manual review/audit process (or disable autoSave) so agents cannot permanently change system prompts without human oversight. 4) Verify which defaults your OpenClaw install uses (the docs are slightly inconsistent about defaults). 5) Keep the edicts file under version control and review its contents regularly — because anything in that file will influence model behavior. If you want, I can produce a safe default openclaw.json snippet you can paste to minimize risk.
!
README.md:47
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

contextvk97av4hcvtxb6dv0py8fd161c583q8zzlatestvk97av4hcvtxb6dv0py8fd161c583q8zzmemoryvk97av4hcvtxb6dv0py8fd161c583q8zzpluginvk97av4hcvtxb6dv0py8fd161c583q8zz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📜 Clawdis

Comments