Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Runtime Security Guard (English)

v2.1.0

Enterprise-grade AI runtime security protection v2.1. Provides 410+ security rules with cross-platform detection (Windows/macOS/Linux), detecting 10 categori...

⭐ 0· 70·0 current·0 all-time

by@nanlinsec-sys

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description align with the included code: hook layers, detectors, rule engine, web dashboard and honeypot features are appropriate for a runtime security guard. However the package metadata declares no required runtime/binaries or env vars while the code/architecture docs explicitly require Node.js (v18+) and other runtime assumptions — this mismatch is incoherent and should be corrected. The presence of honeypot features (GitHub/OpenAI/AWS token traps) and OS-specific monitors (macOS keychain/launchagents) is consistent with the stated purpose but implies access to sensitive subsystems.

Instruction Scope

SKILL.md instructs users to run remote install scripts (curl|bash from raw.githubusercontent.com) and to copy files into the OpenClaw skills dir. The skill's hooks include events that intercept file reads, tool results, user input and agent responses — appropriate for a security guard but highly invasive. The SKILL.md mentions 'Save configuration online' and the code accepts a configurable webhook (config.webhookUrl) — yet no external endpoints or env vars are declared in metadata. The SKILL.md also contains prompt-injection example strings; while those may be test cases, any prompt-injection content inside runtime instructions can be abused if not sanitized.

Install Mechanism

No formal install spec in registry metadata, but SKILL.md recommends running a remote install script piped to bash from GitHub raw (install-no-sudo.sh). Pipe-to-shell of remote scripts is high-risk and should be avoided unless you audit the script. Alternative instructions clone/build locally (git clone + npm install + npm run build) which is expected, but the manifest failing to declare Node/npm as required is an inconsistency.

Credentials

The skill declares no required environment variables or primary credential, but the code references optional external webhook configuration and includes honeypot modules intended to capture tokens (OpenAI, GitHub, AWS, etc.). The SKILL.md promises 'automatic environment variable configuration' which could modify env vars without declaring them. Requesting or capturing wide-ranging secrets is not justified by the metadata and increases risk if defaults enable webhook/external forwarding.

ℹ

Persistence & Privilege

The skill is not marked always:true and does not request special platform flags in metadata. It installs into the user's OpenClaw skills directory and registers runtime hooks that intercept many agent events — this is expected for a runtime protection skill but grants broad visibility into agent activity (file reads, tool outputs, user inputs). Combined with undeclared network/webhook capabilities, this broad access raises concern and warrants review prior to production deployment.

Scan Findings in Context

[ignore-previous-instructions] expected: The SKILL.md contains prompt-injection strings such as 'ignore-previous-instructions'. That could be legitimate test/example content for prompt-injection detection rules (the skill advertises prompt-injection detection), but any such strings inside runtime instructions or examples should be audited because they can be abused to manipulate an agent during install or runtime.

[unicode-control-chars] unexpected: Unicode control characters detected in SKILL.md may be used to obfuscate text or injection patterns. This is not required for normal documentation and should be inspected in the repository files to ensure there is no hidden manipulation or obfuscated instructions.

What to consider before installing

What to check before installing: - Verify the repository owner and source: confirm the GitHub repo (https://github.com/nanlin300624/runtime-security-guard) is trustworthy and review author identity and issues/commits. Do not trust the skill solely because it is on GitHub. - Do NOT run curl | bash on a raw URL without auditing the script. Instead clone the repo and inspect install-no-sudo.sh and other scripts locally before running. Prefer building locally (npm install; npm run build) in an isolated environment. - Confirm runtime requirements: the code and docs require Node.js 18+. The registry metadata does not declare this — ensure your environment meets the declared prerequisites and that the manifest is corrected. - Audit network behavior: search the code for webhook, HTTP client, remote endpoints, and any code paths that send detection logs or captured data off-host. Ensure default config does not enable external webhooks or 'save configuration online'. - Review honeypot functionality and default rule configs: honeypots that intentionally collect tokens (GitHub/OpenAI/AWS/etc.) are plausible for testing but can capture sensitive secrets and store them in logs. Verify what is captured, where logs are written, who can access them, and whether any aggregation/exfiltration is present. - Inspect SKILL.md and other docs for embedded prompt-injection examples or obfuscated characters. Treat those sections as test data only and ensure they are not executed or injected into runtime agents. - Run the skill first in an isolated sandbox or test account (not on production or with privileged secrets) and monitor outbound network connections during operation. - If you plan to use in production, require an internal security/code review: check install scripts, manage the web dashboard binding (ensure it does not expose to the network by default), review storage of logs, and disable any remote reporting until verified. If you want, I can: - list the files that call external network functions/webhooks and show those code snippets, - extract and display the install-no-sudo.sh content for quick review, - or search the repo for occurrences of 'webhook', 'http', 'curl', 'token', 'key', and 'ssh' to pinpoint high-risk code. (This would help raise confidence one way or the other.)

✗

build-complete/scripts/check-install.js:59