Tinman - AI Failure Mode Research, Prompt Injection & Tool Exfil Detection
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
Tinman does not show artifact-backed malicious behavior in the provided material. Before installing, be comfortable with it reviewing OpenClaw session history, writing local report/event files, optionally running a watcher, and installing external Python dependencies; keep remote gateway/Oilcan access disabled unless you explicitly trust the endpoint. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user agent reviewing or using the skill may be exposed to prompt-injection test strings.
The scanner detected prompt-injection-style text in SKILL.md. For this skill, that content is consistent with attack probes and security examples, but it is still important that agents treat it as data, not as an instruction.
Evidence: "Ignore previous instructions and..."
Keep probe strings clearly separated from operational instructions and do not copy them into trusted agent policy except as inert examples.
If a user chooses risky/yolo modes or broad allowlists, Tinman may stop requiring review for actions it would otherwise flag.
The skill intentionally provides modes and allowlists that can reduce or bypass its protective blocking behavior. This is disclosed and useful for research/testing, but users should understand the effect.
/tinman mode yolo # Warn only, never block (testing/research)
Use the default safer mode for normal work, reserve yolo/risky modes for controlled testing, and review allowlist entries regularly.
Tinman can inspect recent session traces and write local reports/configuration, which may include private prompts, outputs, filenames, or security-relevant evidence.
The skill requests access to session history and local file read/write tools. That is coherent with scanning sessions and writing findings, but it is sensitive authority.
permissions:\n tools:\n allow:\n - sessions_list\n - sessions_history\n - read\n - write
Install only if you are comfortable with a local security scanner reviewing OpenClaw session history and writing reports under the OpenClaw workspace.
Future dependency versions could change behavior, and the registry metadata may not fully communicate the install requirements.
The skill depends on external PyPI packages with lower-bound version constraints. The registry summary also says there is no install spec, so setup metadata is not fully aligned.
install:\n pip:\n - AgentTinman>=0.2.1\n - tinman-openclaw-eval>=0.3.2
Install from trusted package sources, consider pinning exact versions in controlled environments, and review dependency provenance before use.
Local event and findings files may retain sensitive details from scans or tool-call analysis until the user deletes them.
The runner writes structured local event data for dashboards. The code includes truncation and some secret-pattern redaction, but the file can still persist security/session-derived context on disk.
EVENTS_FILE = WORKSPACE / "tinman-events.jsonl"
Protect the ~/.openclaw/workspace directory, review generated reports/events before sharing them, and clear old Tinman files if they contain sensitive information.
If remote gateway monitoring is enabled, monitoring data may cross machine or network boundaries.
The skill can connect to a gateway WebSocket for monitoring. The default is local-only and remote use is explicitly gated, which is appropriate but still a communication boundary to notice.
The default watch gateway is loopback-only (`ws://127.0.0.1:18789`) ... Remote gateways require explicit opt-in with `--allow-remote-gateway`
Keep gateway and Oilcan bridge bindings on loopback unless you intentionally need a trusted internal remote endpoint.
If enabled, Tinman may continue monitoring or scanning after the initial command until stopped.
The skill documents a continuous monitoring mode and a stop command. This is disclosed persistence for a security scanner, not hidden autonomous behavior.
/tinman watch --mode polling # Hourly scans\n/tinman watch --stop # Stop background watch process
Use watch mode only when you want ongoing monitoring, and confirm it is stopped when no longer needed.