Vigilance
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may not run the code the user thinks they installed, or may fail and bypass the intended guardrail workflow.
The reviewed registry slug is vigilance, but the top-level instructions identify the skill as agent-sentinel and point execution to an agent-sentinel install path. This can cause the agent to execute a different or missing script instead of the reviewed vigilance path.
name: agent-sentinel ... python3 ~/.openclaw/skills/agent-sentinel/eval_engine.py
Publish a single coherent skill identity and make all documented command paths match the registry slug and packaged files.
A user expecting only a tool-call safety guardrail may also install instructions and code for a different LLM-based response evaluator.
This nested skill under the vigilance package describes a response-quality scoring tool, not the top-level EBE guardrail. Conflicting descriptions can mislead users and agents about what behavior is actually being installed.
name: agent-eval-engine ... Deterministic quality-control evaluator for AI agent outputs. Scores a response 0–100
Remove unrelated nested skill artifacts or clearly separate them into distinct packages with accurate names, versions, and descriptions.
The skill can pause, block, or require confirmation for common actions such as searches, shell commands, bookings, and payments.
The skill deliberately inserts itself before broad, high-impact tool categories. That is aligned with a guardrail purpose, but users should notice how much agent behavior it controls.
`web_search` | Every search, without exception ... `shell_command` | Every shell or terminal execution ... `payment_tool` | Every payment
Review SENTINEL_CONFIG.md and only enable mandatory gating if you want this skill to control those tool categories.
Private search terms, command lines, URLs, travel details, or payment context could be shared with the configured LLM provider.
The evaluator builds an LLM-judge prompt from the user's intent and exact action payload. For web searches, shell commands, payments, or bookings, that payload may contain sensitive information and may be sent to the selected provider.
f"User intent : {intent}\n" ... f"Payload/data: {data}\n\n" ... raw = _llm_call(_TIER1_LLM_SYSTEM, user_prompt, provider, modelUse a trusted provider, avoid including secrets in payloads, and consider a local provider such as Ollama for sensitive workflows.
Installing and using the skill may consume Anthropic or OpenAI API quota and grants the local script access to those provider keys.
The included evaluator reads provider API keys from the environment to call LLM judge services. This is expected for an LLM-evaluator skill, but it is still delegated account access.
api_key = os.getenv("ANTHROPIC_API_KEY") ... client = _anthropic.Anthropic(api_key=api_key)Use environment-scoped API keys, monitor provider usage, and do not place broader credentials in the same environment unnecessarily.