Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
🚨Sentinel, The Agent Cop - Protect Your Agent From Prompt Injections
v1.0.1Catches prompt injection hidden in Moltbook docs, tool results, and external content — plus credential exfiltration, token smuggling, and insecure output — b...
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, the included Python bridge (skill.py), and the CLI commands all match a tool that scans messages and tool results for prompt injections and other OWASP LLM issues. Requiring python/python3 is appropriate. The presence of pattern lists, decoding helpers, and taint-check commands is coherent with the stated purpose.
Instruction Scope
Runtime instructions tell the agent to run the included skill.py and optionally enable a hook that will run on every message:received/message:sent — this gives the skill broad visibility into every conversation. The SKILL.md and script include many prompt-injection strings (expected for detection), but the instructions also recommend auto-install/auto‑run behavior and call AgentIdentity.register() to fingerprint the instance. The script persists state (~/.openclaw/agentcop/) and can scan buffered events; these are within scope for a monitor but increase sensitive data exposure.
Install Mechanism
There is no packaged install spec, but skill.py will attempt to pip install the third‑party package 'agentcop>=0.4,<1' at runtime unless AGENTCOP_NO_AUTOINSTALL is set. Auto-installing a PyPI package on first use is a network operation that results in executing upstream code on the host — this is a moderate-to-high risk operation and should be reviewed or disabled by policy in sensitive environments.
Credentials
The skill does not request secrets or config paths in the registry metadata. However, the code will fingerprint the host and agent_id (OPENCLAW_AGENT_ID or default) and persist events locally. The skill includes regexes to detect many credential formats (AWS keys, OpenAI keys, GitHub PATs), so it may log or surface secrets it detects. It also exposes toggles (AGENTCOP_NO_AUTOINSTALL, AGENTCOP_STATE_DIR) — these are reasonable, but the skill may transmit identity/scan/badge requests to agentcop.live or other endpoints via the bundled 'agentcop' package (not explicit in skill.py), so network exposure of discovered sensitive data is possible.
Persistence & Privilege
always:false (good). The skill persists state under ~/.openclaw/agentcop and offers a hook that, when enabled, will run on every message event — providing continuous monitoring (expected for this functionality). The combination of persistent local storage, automatic pip install, host fingerprinting, and optional background hook increases blast radius if the upstream package or badge API is malicious or compromised.
Scan Findings in Context
[ignore-previous-instructions] expected: SKILL.md and detection patterns intentionally include typical prompt-injection phrases (e.g., 'ignore previous instructions') so the monitor can detect them. Their presence is expected but the same tokens are recognized by the platform scanner as potential manipulation.
[system-prompt-override] expected: Pattern strings like 'system prompt:' appear in the skill to detect attempts to override system prompts; this is appropriate for a security monitor but triggers the pre-scan injection detector.
What to consider before installing
This skill is plausible for its stated purpose, but exercise caution before enabling it widely. Actions to consider: 1) Inspect the upstream 'agentcop' Python package source (on PyPI or its repo) before allowing the automatic pip install, or set AGENTCOP_NO_AUTOINSTALL=1 to prevent auto-install and install from a vetted artifact instead. 2) Review what data the package sends off-host (AgentIdentity.register(), badge generation, full-scan report) — if you need offline operation, confirm the package supports it. 3) Be aware that enabling the agentcop-monitor hook gives the skill access to every inbound/outbound message; test it in an isolated environment first. 4) Check the persisted directory (~/.openclaw/agentcop/) for stored events and decide if retention is acceptable. 5) If you cannot audit the upstream package, avoid enabling background monitoring or badge operations that may contact agentcop.live or third parties.skill.py:206
Dynamic code execution detected.
README.md:48
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
agentcopvk97fcm3s9x3wd7hd17dskfe2nn8462p8agentsvk971hbma6wrgpybacn2vzaghw58469q5latestvk971hbma6wrgpybacn2vzaghw58469q5malwarevk971hbma6wrgpybacn2vzaghw58469q5monitoringvk97fcm3s9x3wd7hd17dskfe2nn8462p8owaspvk97fcm3s9x3wd7hd17dskfe2nn8462p8promp injectionsvk971hbma6wrgpybacn2vzaghw58469q5securityvk971hbma6wrgpybacn2vzaghw58469q5sentinelvk97fcm3s9x3wd7hd17dskfe2nn8462p8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔒 Clawdis
Any binpython3, python