ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RevSec Shield

v1.0.2

24/7 security monitoring for your OpenClaw agent. Detects prompt injection attacks, malicious skills, and data exfiltration attempts. Delivers plain-English...

0· 66·0 current·0 all-time
byNipun@revupai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (agent security monitoring + WhatsApp alerts) align with the declared requirement (REVSEC_API_KEY) and instructions to register and poll a remote API. Requiring an API key for a hosted monitoring service is expected, and reading OpenClaw state/config to identify the agent is consistent with the stated purpose. The homepage is an unfamiliar domain (revsec.revt2d.com) and owner identity is unknown, so vendor trustworthiness is not established.
!
Instruction Scope
SKILL.md instructs the agent to read and write ~/.openclaw/revsec-state.json, read ~/.openclaw/openclaw.json, list installed skill directories, generate/stash stable agent IDs, and create a 5-minute background poll (cron). Those actions allow collection of agent configuration and the list (and possibly contents) of installed skills — reasonable for a monitor but potentially sensitive. The doc also tells the agent to echo $REVSEC_API_KEY (which may leak the key into logs) and to prefer automated curl/shell calls, increasing the chance sensitive data will be transmitted without explicit user review. The instructions do not fully describe what exact fields are sent to RevSec or what the RevSec backend will do with them.
Install Mechanism
No install spec or code files are included (instruction-only), so nothing will be downloaded or written during install beyond the state file the skill itself asks the agent to manage. This minimizes install-time risk but means runtime behavior (network calls) is the main surface to review.
Credentials
Only one environment variable (REVSEC_API_KEY) is required, which is proportionate for an authenticated hosted service. However, the instructions to echo the key and to read other local configs (openclaw.json and skill directories) increase risk of inadvertent leakage; the SKILL.md does not limit or document exactly what data is posted to the remote API.
!
Persistence & Privilege
The skill instructs creating/ensuring a cron job that runs every 5 minutes to poll an external service. While always:false and autonomous invocation are normal, a frequent background poll combined with the ability to read local config and installed skills raises the operational blast radius: it enables continuous exfiltration if the remote service or API key is misused. The SKILL.md does not provide opt-in controls or a clear list of transmitted fields.
What to consider before installing
Before installing: 1) Verify the vendor and backend: check the RevSec service owner, privacy policy, and where data is hosted. 2) Ask the maintainer to provide a precise data map — what exact files/fields will be sent to revsec.revt2d.com and what the service does with them. 3) Avoid echoing the API key into shells or logs; store the key in OpenClaw environment settings as recommended and ensure logs are not captured. 4) Inspect ~/.openclaw/openclaw.json yourself to see whether it contains sensitive tokens that you don't want shared; if it does, ask RevSec which fields they need and whether you can redact others. 5) Consider running the skill manually for one-time checks first instead of enabling the 5-minute cron, and confirm you can revoke the API key and remove the cron job easily. 6) If you cannot verify the backend/operator or the exact data transmitted, treat this skill as higher-risk and prefer alternatives from known/trusted vendors.

Like a lobster shell, security has layers — review code before you run it.

agent-securityvk972eyh72gkbxp1b02zp1css5d83tvpxlatestvk972eyh72gkbxp1b02zp1css5d83tvpxmonitoringvk972eyh72gkbxp1b02zp1css5d83tvpxprivacyvk972eyh72gkbxp1b02zp1css5d83tvpxprotectionvk972eyh72gkbxp1b02zp1css5d83tvpxsecurityvk972eyh72gkbxp1b02zp1css5d83tvpx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
EnvREVSEC_API_KEY
Primary envREVSEC_API_KEY

Comments