Counterclaw Core
ReviewAudited by ClawScan on May 10, 2026.
Overview
The core scanner is purpose-aligned, but the email wrapper can send without protection if the scanner import fails, and violation text is written into persistent OpenClaw memory.
Review this skill before installing if you plan to use the email integration or memory logging. Test with --dry-run, ensure the scanner import works, avoid sending from sensitive Gmail accounts, and consider disabling or relocating violation logs until they are stored outside reusable agent memory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe PII protection is active while the email script sends messages without scanning them.
If the scanner import fails, outbound content is treated as safe rather than blocked. The email wrapper then proceeds unless the scanner exits with a PII-detected error, so a protected-email workflow can send without protection.
except ImportError: COUNTERCLAW_AVAILABLE = False; print("Warning: CounterClaw not installed. Running without protection.") ... if not COUNTERCLAW_AVAILABLE: return {"safe": True, "pii_detected": None, "scanned": False}Fail closed when CounterClaw cannot be imported, resolve the local src path relative to the script, and require an explicit user flag such as --allow-unprotected before sending without scanning.
Malicious prompt snippets or sensitive context could persist beyond the current task and later influence the agent if memory is reloaded.
Blocked user-controlled prompt text is logged by default into OpenClaw's persistent memory file. PII is masked, but prompt-injection text is not neutralized before being stored for possible future agent context.
MEMORY_PATH = MEMORY_DIR / "MEMORY.md" ... async def check_input_async(self, text: str, log_violations: bool = True) ... _log_violation(result, "input", text) ... f.write(f"**Sample:** {safe_text[:100]}...\n")Log security events to an isolated audit log outside agent memory, or quote/neutralize samples, make logging opt-in, and document retention and cleanup controls.
The email integration can send messages from the configured Gmail account.
The optional email integration uses Gmail account access through gog. This is disclosed and aligned with sending email, but users should recognize it grants account sending authority.
Configure gog auth: `gog login your-email@gmail.com` ... export GOG_ACCOUNT=your-email@gmail.com ... export GOG_KEYRING_PASSWORD=your-keyring-password
Use a dedicated account or least-privilege setup where possible, and avoid storing keyring passwords in shared shell profiles.
Users or tooling may not be prompted for all setup steps and file-writing behavior before use.
The skill documents install, environment, and file requirements, while the registry summary reports no install spec, no required env vars, and no required config paths. This appears under-declared rather than hidden.
install: "pip install ." ... requirements: env: - TRUSTED_ADMIN_IDS ... files: - "~/.openclaw/memory/" - "~/.openclaw/memory/MEMORY.md"
Align registry metadata with SKILL.md and README, including the local install step, memory path, TRUSTED_ADMIN_IDS, and optional gog/Gmail prerequisites.