v0.2.6

Openclaw Sec

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:15 AM.

Analysis

Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions, you-are-now, system-prompt-override); human review is required before treating this skill as clean.

GuidanceThis appears to be a legitimate security-monitoring skill, not a malicious one. Before installing, confirm you trust its source, review hook behavior, owner bypasses, logging/database retention, and notification settings, especially if prompts, tool calls, file contents, or secrets may be scanned. ClawScan detected prompt-injection indicators (ignore-previous-instructions, you-are-now, system-prompt-override), so this skill requires review even though the model response was benign.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

README.md

Automated Actions - Block, warn, or log based on severity

The skill can influence whether agent requests are allowed, warned, logged, or blocked; this is central to a security product but affects agent behavior.

User impactThe skill may stop or alter agent workflows when it detects risky input or tool calls.

RecommendationReview severity-to-action mappings before enabling it in important workflows.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

README.md

sets up hooks for automatic protection

Automatic hooks are disclosed and purpose-aligned, but they create persistent monitoring/enforcement behavior after installation.

User impactOnce enabled, the skill can keep inspecting prompts or tool calls without being manually invoked each time.

RecommendationInstall only if you want always-on security hooks, and keep a clear process for disabling or changing them.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide clear upstream provenance, which matters more for a skill that installs security hooks.

User impactUsers have less provenance information to verify before granting the skill monitoring and enforcement authority.

RecommendationVerify the package source, owner, and dependencies before installing in a sensitive environment.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

.openclaw-sec.example.yaml

Owner user IDs - these users bypass all security checks

The configuration supports privileged identities that bypass validation, which is useful for administration but weakens enforcement if misconfigured.

User impactAnyone listed as an owner may avoid the security checks entirely.

RecommendationKeep owner IDs minimal, verify they are trusted, and audit this setting regularly.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

.openclaw-sec.example.yaml

logging: enabled: true ... retention_days: 90 ... database: path: .openclaw-sec.db ... retention_days: 365

The skill stores security events and analytics locally for extended periods, which may include sensitive prompts, paths, findings, or user/session metadata.

User impactSecurity scan records could persist sensitive context or secret-detection findings on disk.

RecommendationSet retention, log location, and database settings to match your privacy requirements, and avoid scanning secrets unless storage is acceptable.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

.openclaw-sec.example.yaml

notifications: enabled: false ... channels: webhook ... slack ... discord ... email

External notification channels are documented and disabled by default, but enabling them could transmit security findings to third-party services.

User impactIf configured, alerts may leave the local environment and be sent to webhooks, Slack, Discord, or email.

RecommendationLeave notifications disabled unless the endpoints are trusted and the alert contents are acceptable to share.