Openclaw Sec
Security checks across malware telemetry and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions, you-are-now, system-prompt-override); human review is required before treating this skill as clean.
Before installing, verify the source, review npm dependencies, inspect hook/action settings, remove placeholder owner bypass IDs, and decide whether local logging, database retention, and external notifications fit your privacy and security needs. ClawScan detected prompt-injection indicators (ignore-previous-instructions, you-are-now, system-prompt-override), so this skill requires review even though the model response was benign.
VirusTotal
58/58 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may warn, block, or log agent actions when it detects security issues.
The skill can integrate through hooks and mediate agent inputs or tool calls. That is consistent with a security suite, but users should know it can affect normal agent operation.
This automatically installs the skill to `~/.openclaw/workspace/skills/openclaw-sec/` and sets up hooks for automatic protection.
Review the hook configuration and action thresholds before enabling automatic protection in important workflows.
If owner IDs are configured too broadly or are based on spoofable identifiers, security checks could be bypassed.
The example configuration allows designated owner IDs to bypass checks. This can be legitimate for administrators, but it depends on trusted user identity handling.
# Owner user IDs - these users bypass all security checks
owner_ids:
- "admin@example.com"
- "security-team@example.com"Use owner bypasses sparingly, only with trusted identity sources, and remove placeholder owner IDs from copied example configs.
Users have less provenance information for deciding whether to trust the package.
The registry metadata does not identify a verified source or homepage, even though the skill includes substantial Node/TypeScript code.
Source: unknown Homepage: none
Verify the repository/package source and review dependency lockfiles before running npm-based setup.
Installing dependencies can run package-manager lifecycle behavior from dependencies on the user's machine.
The documented setup requires local npm dependency installation for the CLI. This is normal for a TypeScript/Node security tool, but it executes package-manager workflows outside the instruction-only install spec.
cd ~/.openclaw/workspace/skills/openclaw-sec npm install
Run npm installation only from a trusted copy of the skill, and consider reviewing package.json and lockfiles first.
Security events, user/session identifiers, and matched patterns may be retained locally for months.
The skill persists security events and analytics to logs and a local database with non-trivial retention periods.
logging:
enabled: true
file: ~/.openclaw/logs/security-events.log
retention_days: 90
database:
path: .openclaw-sec.db
analytics_enabled: true
retention_days: 365Review what is logged, set retention appropriate to your environment, and protect or periodically clean the database and log files.
If enabled, security alert data may leave the local environment and go to configured third-party services.
The skill supports sending security notifications to external webhook, Slack, Discord, and email destinations, although they are disabled in the example config.
notifications:
enabled: false
channels:
webhook:
enabled: false
url: "https://hooks.example.com/security"
slack:
enabled: false
webhook_url: "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"Keep notifications disabled until destinations and payload contents are reviewed, and avoid sending sensitive prompt or secret material to untrusted webhooks.