ClawShield
PassAudited by ClawScan on May 10, 2026.
Overview
ClawShield’s reviewable code is a local, purpose-aligned security audit script, but its docs reference missing UI/config pieces and users should notice its local memory scan and optional cron workflow.
Before installing, verify that you only run reviewed files, since the documented panel/config scripts are missing. If you use the audit script, expect it to inspect local OpenClaw memory, skills, status output, and localhost ports, and avoid sharing the generated JSON report without review or redaction. Only set up cron or Telegram-style alerting if you explicitly want recurring scans or external notifications and understand what data may be included.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The UI/config workflow may fail or may require running code that was not included in this review.
The documented panel and config helpers are not included in the provided file manifest, so the advertised workflow is incomplete and any added helper code would need separate review.
node scripts/panel-server.js ... node scripts/config.js get
Run only the included, reviewed files unless you can verify any additional scripts; the package metadata and manifest should be updated to match the documented workflow.
The report may expose snippets from local OpenClaw memory or reintroduce prompt-injection text into an agent’s context.
The script reads local agent memory and skill files and emits matching lines into the JSON report. This is expected for prompt-injection detection, but those lines can contain sensitive or adversarial text.
SCAN_PATHS=("$WORKDIR/memory" "$WORKDIR/skills" ) ... "prompt_injection_hits": [l for l in read_file(os.environ["PI_SCAN_FILE"]).splitlines() if l.strip()]Keep reports local, redact before sharing, and treat reported prompt-injection hits as untrusted evidence rather than instructions.
The report can include local service, gateway, session-status, and localhost port information.
The audit script invokes local status commands and optionally runs a loopback-only port scan. This is aligned with the security-audit purpose and is not shown scanning remote hosts.
(openclaw status || true) ... (openclaw gateway status || true) ... (session_status || true) ... nmap -Pn -p 1-1024 127.0.0.1
Run the audit manually or under a clearly chosen schedule, verify the output before sharing it, and do not grant extra privileges unless necessary.
If the user adds a cron job, the audit can keep running and generating reports after the initial interaction.
The skill documents recurring execution through cron. This is disclosed and user-directed, but it is still a persistence mechanism.
Cron setup: Schedule `scripts/audit.sh` at the chosen cadence.
Only create a cron job intentionally, choose a reasonable cadence, and document how to disable or remove the scheduled task.
A user might assume all behavior stays local while later enabling an external alert channel.
The documentation says scans are local-only while also describing Telegram alerts, which would normally require external network communication if implemented. No Telegram alert code is present in the reviewed files.
`config.yaml` defaults: Scan_freq=daily, alerts=telegram, sensitivity=high. ... Local-only scans; no network calls outside localhost.
Clarify whether alerts leave the machine, what data is sent, and require explicit user setup for any third-party alert integration.