Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Runtime Security Guard

v2.2.0

企业级 AI 运行时安全防护技能 v2.1。提供 406+ 条安全规则，支持跨平台检测（Windows/macOS/Linux），检测 9 大类安全威胁。完全本地运行，无云端 API，无配额限制。配备现代化 Web 监控界面和自动化测试系统。

⭐ 0· 90·1 current·1 all-time

by@nanlinsec-sys

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The name/description (a local runtime security guard) aligns with the included hooks, detectors, rules, and web UI. It legitimately needs to intercept file reads, tool outputs, and user input to do detection. However there are inconsistencies: the registry metadata lists 'No install spec — instruction-only', yet the package contains hundreds of source/build files and install scripts; SKILL.md header/version (v2.1.0) differs from registry version 2.2.0 in metadata and other docs reference 1.1.0/v2.0.0. The skill also advertises 'completely local / no cloud API' while the code supports sending alerts to an external webhook (config.webhookUrl), which is not explained or constrained in SKILL.md.

Instruction Scope

SKILL.md states the plugin 'automatically' intercepts 'all file reads, tool results, user input, agent responses'. That scope is broad and implies access to arbitrary user data and secrets. The instructions include installing via curl|bash from raw.githubusercontent.com and scripts to start a local web server. SKILL.md also contains pre-scan detected prompt-injection patterns (e.g., 'ignore-previous-instructions' and Unicode control characters), which suggests the skill author attempted to include content that could influence LLM behavior; that is unexpected in a benign README and increases risk when the skill is loaded by an LLM-based agent.

ℹ

Install Mechanism

Installation methods mention ClawHub and direct download from GitHub (raw.githubusercontent.com and GitHub releases). GitHub is a standard host and the included install scripts (install-no-sudo.sh, install.sh) are present inside the package. The registry metadata's 'no install spec' contradicts the presence of these scripts — this mismatch matters because an instruction-only skill has lower risk than one that writes and executes many files. The install scripts should be audited before running; using curl | bash to execute a remote script is higher-risk even when fetched from GitHub.

Credentials

The skill requests no declared environment variables or credentials, but its behavior (hooks that intercept file reads, logs that persist to ./logs, a honeypot system for tokens/keys, and optional webhook sending) implies it will touch sensitive data and may collect secrets. The presence of honeypot descriptions that mention GitHub/OpenAI/AWS credentials means the code is explicitly designed to capture credential-like strings; that capability is reasonable for detection but also increases the blast radius if logs or webhooks are misconfigured. No dedicated justification or safe-defaults for external sinks are provided in SKILL.md.

ℹ

Persistence & Privilege

always:false (not force-included) which is appropriate. However SKILL.md says the skill 'installs and runs automatically' and will 'auto-run' after install and 'intercept' activities. Autonomous invocation is allowed (default) and is expected for skills, but combined with the broad interception scope and potential external alerting, this gives significant runtime reach. The skill does not declare needing to modify other skills or global configs, which is good; still, the automatic, pervasive interception behavior should be reviewed and constrained during deployment.

Scan Findings in Context

[prompt-injection:ignore-previous-instructions] unexpected: SKILL.md contains the pattern 'ignore-previous-instructions' (a prompt-injection indicator). A security-skill README should not include content that attempts to override or bypass prior instructions to an LLM. This is unexpected and suspicious; it could be an attempt to manipulate agents that load the SKILL.md.

[unicode-control-chars] unexpected: Unicode control characters were detected in the SKILL.md. Authors sometimes use these to hide or obfuscate injection payloads for LLMs. This is not normal for documentation and raises a red flag.

What to consider before installing

Plain-language next steps and cautions: - Do not run the remote install scripts (curl | bash) or run the included install scripts on production systems before review. Treat the package like code that requires auditing. - The skill legitimately needs to intercept file reads and tool outputs to detect threats, but that means it will access anything your OpenClaw agent can access (including secrets, files, tool outputs). Only install in a limited/sandboxed environment (VM or disposable test instance) first. - Audit these things before trusting: - install-no-sudo.sh / install.sh and any scripts that create services or set env vars. Look for network calls, added cron jobs, or commands that change permissions. - code that writes logs or exposes web UI (web server on :3000). Verify default configs disable external webhooks and remote reporting. - any code that implements the honeypot or token-trapping features — confirm how captured tokens are stored, rotated, or transmitted. Ensure webhookUrl is unset by default. - the SKILL.md and other docs for the detected prompt-injection strings and Unicode control characters; remove or neutralize them before loading the skill into an LLM's environment. - Prefer to audit and run the skill locally with network egress blocked, or run it behind strict firewall rules and with a non-privileged OpenClaw test installation. Check openclaw.plugin.json and package.json for required permissions and startup behavior. - If you don't have the capacity to audit, consider using a well-known, widely-reviewed runtime-security alternative or ask the author to provide an attestable provenance (e.g., known org GitHub account, signed release artifacts, or a 3rd-party code audit). If you want, I can: (a) list the top files to inspect first (install scripts, alerter/alerter.sendWebhook, honeypot implementation, hooks/file-reader, and the SKILL.md lines with injection content), or (b) extract and show the exact SKILL.md lines that triggered the prompt-injection detector so you can review them.

✗

build-complete/scripts/check-install.js:59