Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AgentGuard by Nano
v0.4.0Agent Identity & Permission Guardian - Trust middleware for credential management, permission scopes, human approval workflows, and audit trails. Use when AI...
⭐ 0· 388·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a credential/approval middleware and the code implements vaults, audit, human gate and 1Password integration — so the capability set aligns with the description. However the package and SKILL metadata declare no required environment variables or binaries while the code expects/processes many env vars (AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, FEISHU_OPEN_ID, etc.) and shell tools (1Password 'op' CLI, tmux). That mismatch between declared requirements and actual dependencies is incoherent and risky.
Instruction Scope
SKILL.md and README describe local files (~/.agentguard/*) and an API/CLI usage that is consistent. But runtime instructions and the implementation invoke external CLIs (op), spawn tmux sessions, and execute shell commands via child_process. Those behaviors access system-level resources and can read/write files and invoke external channels (Feishu/other notifiers). The SKILL.md does not fully disclose these execution behaviors or the environment variables they rely on.
Install Mechanism
The registry metadata said 'no install spec' but SKILL.md and package.json advertise npm install (package name 'agentguard') and there are full source files included. Installing via npm is a common mechanism and not inherently malicious, but the metadata inconsistency (instruction-only vs. packaged code) should be resolved. There are no arbitrary download URLs or extract steps in the files provided.
Credentials
The code uses multiple environment variables and system tools (AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, OPENCLAW_TMUX_SOCKET_DIR, FEISHU_* etc.) but the skill registry declares no required env vars. It also defaults to a weak fallback master password ('default-password-change-me') if AGENTGUARD_PASSWORD is not set. Requesting access to 1Password CLI and external notification channels is plausible for the described feature set, but the missing declaration of these requirements and the default fallback behavior are disproportionate and should be explicit to users.
Persistence & Privilege
The skill stores data under ~/.agentguard/, writes audit logs, and expects to be installed into the OpenClaw skills directory. It is not marked 'always: true' and does not appear to alter other skills' configurations. These file writes are consistent with its purpose, but the code also may create tmux sockets and sessions and will run shell commands — this level of system interaction is broader than a purely in-process library and should be considered when granting installation.
What to consider before installing
What to consider before installing:
1) Undeclared requirements: The package actually runs shell commands (1Password CLI 'op') and may spawn tmux sessions, and it reads env vars like AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, FEISHU_OPEN_ID. The skill metadata did not declare these — verify and set them intentionally.
2) Review the code paths that execute shell commands: src/1password.js uses child_process.execSync and a tmux-based execution path that creates sockets and sessions. If you don't trust the package source, these execs could be abused to run arbitrary commands on your machine.
3) Secrets handling: CLI commands print credentials (vault get prints the value to stdout) and the tool writes audit logs under ~/.agentguard. Ensure you understand where master passwords and API keys are stored and whether you're comfortable with the local storage and stdout behaviors.
4) External notifications: The human-gate integrates with Feishu/other channels. Inspect src/feishu-notifier.js (and other notifiers) to confirm what is sent externally and whether any sensitive data could be exfiltrated in approval payloads.
5) Metadata inconsistency: The registry said 'instruction-only' while the repo contains code and package.json. Prefer to install from a known trustworthy source (official npm package or vetted repo) and verify package integrity (source repo, npm publisher, checksums) before running.
6) Safety steps: run the package in an isolated environment (sandbox/VM) first; search the repository for exec/child_process usages and all network endpoints; set a strong AGENTGUARD_PASSWORD rather than relying on the default; avoid exposing the master password in a shared environment variable; and consider disabling AGENTGUARD_USE_TMUX unless you need the tmux flow.
Given the coherent functionality but the undeclared env/exec behavior and tmux usage, the package looks plausible for its stated purpose but has enough mismatches and risky operations to mark it suspicious until you confirm provenance and review the exec/network code paths.Like a lobster shell, security has layers — review code before you run it.
latestvk973s6333xfxg0ndmct94n3add8229ya
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis