AgentGuard by Nano
WarnAudited by ClawScan on May 10, 2026.
Overview
AgentGuard’s purpose is coherent, but the provided code uses a predictable vault password fallback and unsafe shell-based 1Password commands, so it needs review before real secret use.
Do not use this skill for real secrets until the default password fallback and 1Password shell-command handling are fixed. If testing, set a strong AGENTGUARD_PASSWORD, verify the npm package source, avoid untrusted agent/key names, and keep sensitive details out of approval notifications.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed agent name, key, account, or credential value could cause unintended local command execution or expose secrets while using the 1Password integration.
1Password item titles, fields, values, and account options are interpolated into a shell command rather than passed as safe argv parameters. Crafted values can break quoting and run local commands, and secrets can appear in command-line arguments.
let cmd = `item create --vault "${vault}" --category ${category} --title "${itemTitle}" "${field}=${value}"`; ... return execSync(`op ${command}${accountFlag}`, options);Use execFile/spawn with argument arrays, strictly validate user-controlled fields, quote nothing via the shell, and pass secrets through stdin or supported secure input mechanisms.
Credentials stored in the local vault may be protected by a publicly known password, undermining the main security promise of the skill.
If the user does not set AGENTGUARD_PASSWORD, the credential vault is initialized with a known default master password.
function getMasterPassword() { return process.env.AGENTGUARD_PASSWORD || 'default-password-change-me'; }Refuse to run without an explicit strong master password, prompt securely when needed, declare the environment variable in metadata, and never use a default vault password.
Users may over-trust approvals or audit logs and delegate more sensitive actions than the implementation can safely enforce.
These are high-assurance safety claims for a security tool. The visible artifacts show CLI/API approval flows by request ID/label and audit code based on a SHA-256 hash chain, so the stronger biometric/signature claims are not clearly substantiated.
Owner approves/denies with biometric confirmation ... Audit Trail: Cryptographically signed operation logs
Clearly distinguish implemented features from roadmap claims, document the actual approval trust model, and use real authentication/signatures if those guarantees are advertised.
Installing the wrong or unverified npm package could expose credential-management workflows to unreviewed code.
The provided documents also instruct npm installation of an external package, so provenance matters especially because this skill handles credentials.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Verify the npm package, repository, publisher, and version before installation; prefer a pinned, registry-declared install source.
Email recipients, subjects, request details, or other task data could be shared with an external notification channel.
Approval notifications may send operation details to Feishu/OpenClaw channels. This is disclosed and purpose-aligned, but those details can be sensitive.
Feishu 收到的消息 ... 详情: { "to": "user@example.com", "subject": "Hello" }Avoid putting secrets or sensitive payloads in approval details, and configure only trusted notification channels with clear retention and access controls.