ClawHub

Sentinel Shield

Security checks across malware telemetry and agentic risk

Overview

Sentinel Shield appears to be a legitimate security helper, but it needs review because it reads sensitive host files by default and overstates some active protection features.

Review before installing. Treat this as a manual audit and alert helper, not a proven active firewall. Narrow config/shield.json to only files you explicitly want it to read, avoid running it with elevated privileges, and leave Telegram disabled unless you are comfortable sending security-event metadata to that Telegram chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises multiple shell-based commands (`node {baseDir}/scripts/sentinel.js ...`) but does not declare corresponding permissions. That mismatch can cause the platform or user to underestimate the skill's execution capabilities, weakening review and consent around command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior goes beyond the stated purpose of runtime agent protection into sensitive file monitoring, external Telegram alerting, and kill-switch operations. This description-behavior mismatch is dangerous because users may authorize a seemingly narrow security tool without realizing it reads high-value files and sends data to third-party services.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The version history claims 'process scanning' even though the rest of the manifest does not clearly scope or justify that capability. Undisclosed process inspection expands host visibility and can expose sensitive runtime information beyond what users expect from a monitoring skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is described as runtime security for agent tool calls and prompt-injection detection, but the configuration extends monitoring to sensitive host files such as SSH keys, passwd, and sudoers. Even if framed as defensive monitoring, this expands the skill's access scope into credential and privilege-related files, increasing the chance of unnecessary exposure, misuse, or future abuse if the skill or its logs are compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code can transmit alert contents, including tool names and operational metadata, to Telegram, creating an external exfiltration path. In a security-monitoring skill, outbound messaging is contextually plausible, but because it sends data to a third-party service based on local config with no content minimization or trust boundary controls, sensitive runtime details could be leaked if misconfigured or abused.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `kill` command is a genuine security concern because it clears `call_counts.json`, effectively resetting rate-limiting state while presenting itself as a security feature. In a tool intended to monitor and enforce protections, a user-invokable command that disables part of those protections can be abused by anyone with access to the CLI to bypass throttling or erase operational state after suspicious activity.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The installation guide instructs users to configure Telegram alerts and retrieve identifiers via Telegram's API, but it does not clearly disclose that operational security data may be transmitted to a third-party service when alerts are enabled. In a security-monitoring skill, this omission matters because users may unknowingly route sensitive alert content, file names, or incident metadata outside their environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad and overlap with normal security-related conversation such as 'check security' or 'security audit.' This increases the chance of accidental activation, which is especially risky for a skill that may execute shell commands, inspect sensitive files, or perform other security actions on the host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The kill command is presented as a direct action without an explicit warning, confirmation step, or explanation of side effects. Destructive or state-altering operations triggered through conversational workflows can be invoked accidentally or via prompt injection, causing denial of service or loss of monitoring state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The monitor performs silent network transmission to Telegram without any user-facing disclosure in the code path, which reduces operator awareness of data leaving the environment. In security tooling, undisclosed outbound communication is especially risky because operators may assume monitoring is local-only while alerts expose internal activity metadata to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
## Setup (Telegram Alerts)

1. Create a Telegram bot via @BotFather → copy the token
2. Message your bot to get your chat ID: `https://api.telegram.org/bot<TOKEN>/getUpdates`
3. Add both to `{baseDir}/config/shield.json`

## How to Use in Agent Sessions
Confidence
84% confidence
Finding
https://api.telegram.org/

Credential Access

High
Category
Privilege Escalation
Content
"monitoredFiles": [
    "~/.openclaw/openclaw.json",
    "~/.openclaw/credentials",
    "~/.ssh/authorized_keys",
    "/etc/passwd"
  ],
  "injectionScanning": true,
Confidence
94% confidence
Finding
~/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
- `~/.openclaw/openclaw.json` — Gateway auth token (THE critical file)
- `~/.openclaw/credentials` — Stored credentials
- `~/.ssh/authorized_keys` — SSH access control
- `/etc/passwd` — System user accounts
- `/etc/sudoers` — Privilege escalation paths
Confidence
94% confidence
Finding
~/.ssh/authorized_keys

Credential Access

High
Category
Privilege Escalation
Content
"~/.openclaw/openclaw.json",
    "~/.openclaw/credentials",
    "~/.ssh/authorized_keys",
    "/etc/passwd"
  ],
  "injectionScanning": true,
  "alertLevel": "medium"
Confidence
95% confidence
Finding
/etc/passwd

Credential Access

High
Category
Privilege Escalation
Content
- `~/.openclaw/openclaw.json` — Gateway auth token (THE critical file)
- `~/.openclaw/credentials` — Stored credentials
- `~/.ssh/authorized_keys` — SSH access control
- `/etc/passwd` — System user accounts
- `/etc/sudoers` — Privilege escalation paths

## Version History
Confidence
95% confidence
Finding
/etc/passwd

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal