Skillv1.0.1

ClawScan security

ClawDefender - OpenClaw Security - Prompt injection, rogue skills etc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:44 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with a workspace-focused security/sanitization tool, but it makes some environment assumptions (hardcoded workspace path, writes logs/whitelist) and uses npx for a convenience install flow — review those before deploying.
Guidance: What to check before installing: 1) Review the two scripts (sanitize.sh and clawdefender.sh) yourself — they are plain shell and readable. 2) Update the WORKSPACE variable to point to your intended agent/workspace (it's hardcoded to /home/clawdbot/clawd) so the tool doesn't scan unintended locations. 3) Run the scripts in a non-production/test environment first to see what files they read/write (they create logs and a whitelist under the workspace). 4) Be cautious with the '--install' flow: it runs 'npx clawhub install', which fetches/executes code from the network; only use that if you trust the upstream package. 5) Don't run with elevated privileges (root). 6) If you plan to allow autonomous invocation, restrict filesystem permissions and consider sandboxing the workspace to limit blast radius. 7) If you need higher assurance, run the audit step on a copy of your skills directory rather than live data.
Findings: [ignore-previous-instructions] expected: The pre-scan detected the prompt-injection phrase inside SKILL.md. This skill intentionally lists injection patterns (including phrases like 'ignore previous instructions') as examples to detect them, so the finding is expected and not an attempt to manipulate the evaluator.

Review Dimensions

Purpose & Capability: okName/description (scanner + sanitizer) aligns with the provided scripts: sanitize.sh performs prompt checks and wraps clawdefender.sh, and clawdefender.sh contains pattern lists and validation modules. No unrelated credentials, binaries, or opaque network dependencies are demanded by the metadata.
Instruction Scope: noteSKILL.md instructs copying the two scripts into the workspace and piping external content into sanitize.sh, which in turn calls clawdefender.sh for detection. That is within the stated purpose. Two points to note: (1) the README and scripts instruct running 'npx clawhub install' as part of the --install flow (this executes code from the network), and (2) the tool scans the agent workspace and references many sensitive paths and config names — scanning those files is expected for a security tool but can expose sensitive data to the scanner process. Review the scan/audit behavior and test in an isolated environment first.
Install Mechanism: okThere is no packaged install spec; the skill is instruction-only plus two included shell scripts. No remote download or extract instructions are embedded in the skill files themselves. The only network-execution call is the optional 'npx clawhub install' used by the script's --install flow, which is conventional but runs code from npm at runtime.
Credentials: noteThe skill requests no environment variables or credentials in metadata. However, the scripts are hardcoded to use WORKSPACE="/home/clawdbot/clawd" and will read/write under that path (logs, whitelist, security directory). For a security scanner, access to workspace files is proportional to purpose, but the hardcoded path may cause the tool to access unexpected locations on your host if not adjusted. No extraneous credential requests are present in the manifest.
Persistence & Privilege: notealways is false and model invocation is allowed (normal). The script writes persistent artifacts: $WORKSPACE/memory/security-scans.md and $WORKSPACE/security/whitelist.json, and may modify a whitelist. That persistence is reasonable for a scanner but you should confirm you are comfortable with files being created/updated in the workspace and with the tool running autonomously if you allow it.