Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Edicts — Ground Truth for AI Agents
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
This skill appears reasonable if you want a local, persistent facts layer for agents. Before installing, verify the package/version, put only trusted facts in edicts, and keep write tools disabled or read-only unless you deliberately want the agent to change future context. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anything saved as an edict can become standing context for the agent and may steer future answers.
Why it was flagged
The skill intentionally makes stored local facts part of future agent context, so stale, incorrect, or untrusted edicts could influence later responses.
Skill content
Provides facts in every prompt — edicts appear in system context automatically
Recommendation
Keep edict files curated, avoid storing untrusted instructions, use TTLs/expiry, and regularly run review/audit workflows.
What this means
If write tools are enabled, an agent may add, change, or delete facts that affect future prompts.
Why it was flagged
The documented tools can mutate persistent agent context if write access is enabled. This is purpose-aligned and disclosed, but users should treat it as privileged.
Skill content
`edicts_add` | Create a new edict ... `edicts_update` | Update an existing edict by ID ... `edicts_remove` | Remove an edict
Recommendation
Enable write tools only when needed; otherwise use `tools.enabled: false`, whitelist read-only tools, or set `autoSave: false`.
What this means
Even some reads may update local metadata in the edicts file.
Why it was flagged
A read-style `get` operation can persist access metadata when auto-save is enabled, so 'read-only' behavior is not strictly no-write at the file level.
Skill content
edict.lastAccessed = new Date().toISOString(); this._dirty = true; if (this.autoSave) await this.save();
Recommendation
Set `autoSave: false` if you need a strictly unchanged edict file during runtime reads.
What this means
A user could be unsure whether the reviewed artifacts exactly match the installed OpenClaw plugin package.
Why it was flagged
The evaluated registry entry is `openclaw-plugin-edicts` version 1.0.6, while SKILL.md shows 1.0.5 and the included package is `edicts` 1.0.4. This does not show malicious behavior, but it is a provenance/version mismatch to verify.
Skill content
"name": "edicts", "version": "1.0.4"
Recommendation
Verify the package source, version, and repository before installation, and prefer pinned/trusted releases.