ClawShield
v1.1.0OpenClaw security audit + prompt injection detector. Scans gateway/vulns/cron/PI patterns. Use for frenzy-proofing installs.
⭐ 1· 1.1k·8 current·9 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description says it audits OpenClaw for prompt-injection and related risks; the included scripts (scripts/audit.sh) implement local PI pattern scans and a loopback port scan and produce JSON — that matches the stated purpose. However SKILL.md instructs running node scripts (scripts/panel-server.js and scripts/config.js) and editing config.yaml, none of which are included. The manifest also declares no required binaries/env, but the audit script expects commands like openclaw, session_status, python3 (and optionally nmap). These mismatches are incoherent.
Instruction Scope
SKILL.md tells the agent to launch a panel server, run node-based config CLI, update config.yaml and schedule the audit in cron. The package does not include the referenced node scripts or config.yaml; the panel UI provided is a static HTML file that does not actually run the audit. The audit.sh scans local memory and skills directories (which may legitimately contain conversation data), and writes full status outputs to the report — so it will read potentially sensitive local files. SKILL.md claims 'Local-only scans', which matches the script (it uses loopback for nmap), but claims alerting via Telegram by default with no implementation present.
Install Mechanism
No install spec — instruction-only skill with a small bash script and static assets. That is lower risk than arbitrary downloads or installers. Nothing in the package writes system files or includes an installer.
Credentials
The registry declares no required environment variables or credentials, which is good, but the audit script reads local OpenClaw status and session outputs, and scans 'memory' and 'skills' directories by default. Those locations commonly hold sensitive context (system prompts, conversation history, tokens). The script will include those outputs verbatim in its JSON report, and SKILL.md references alerting (telegram) without providing the integration — a mismatch that could lead a user to add credentials later. Also the script's default WORKDIR/OUTDIR are hard-coded to a specific user path (/Users/BillyAssist/...), which is unexpected and could cause the tool to scan different locations than the user intends.
Persistence & Privilege
The skill does not request 'always: true', does not self-install, and has no install hook. SKILL.md recommends the user schedule scripts/audit.sh in cron — that would create persistence only if the user follows instructions. This is a normal design for monitoring tools but is a persistence step under the user's control; still, instructing cron setup without included config files is inconsistent and should be validated by the user.
What to consider before installing
Do not install or run this skill blindly. Specific things to check before using: 1) The SKILL.md references node scripts (scripts/panel-server.js and scripts/config.js) and config.yaml, but those files are missing — ask the author for the missing code or treat the panel instructions as non-functional. 2) The audit script expects local commands (openclaw, session_status) and python3 and optionally nmap; verify those are intended and present on your system. 3) The script scans workspace/memory and skills directories and includes status output verbatim in the JSON report — these files often contain secrets or system prompts, so review what will be read and where the resulting report will be stored/transmitted before running. 4) The default WORKDIR/OUTDIR are hard-coded to /Users/BillyAssist/... — update these to safe paths before running. 5) If you plan to follow the cron/alerting suggestions, confirm how alerts would be sent (there is no Telegram integration in the package), and avoid providing credentials until you verify the alerting implementation. If you cannot validate these points, run the audit.sh in a sandboxed environment and inspect its output first.Like a lobster shell, security has layers — review code before you run it.
API securityvk970800p5n2a6qp9wb25agz5m980yrcfAuditvk970800p5n2a6qp9wb25agz5m980yrcfHacker Protectionvk970800p5n2a6qp9wb25agz5m980yrcfMalicious Software Securityvk970800p5n2a6qp9wb25agz5m980yrcfPivk970800p5n2a6qp9wb25agz5m980yrcfPrompt Injection protectionvk970800p5n2a6qp9wb25agz5m980yrcfSecurityvk970800p5n2a6qp9wb25agz5m980yrcfSkill Safetyvk970800p5n2a6qp9wb25agz5m980yrcfVuln Checkvk970800p5n2a6qp9wb25agz5m980yrcfagent-guardvk970800p5n2a6qp9wb25agz5m980yrcfclawhub safevk970800p5n2a6qp9wb25agz5m980yrcffrenzy-proofvk970800p5n2a6qp9wb25agz5m980yrcflatestvk970800p5n2a6qp9wb25agz5m980yrcfmalware-scanvk970800p5n2a6qp9wb25agz5m980yrcf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.