Crusty Security
v0.1.4Security and threat scanning skill for OpenClaw agents. Scans files and skills for malware. Monitors agent behavior for compromise indicators. Audits host se...
⭐ 0· 597·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to perform local scanning, skill auditing, and agent monitoring and only declares minimal requirements (bash, python3). That aligns with the included scripts. However the SKILL.md and scripts reference an optional remote dashboard and several environment variables (CRUSTY_API_KEY, CLAWGUARD_*, CLAWGUARD_DATA_DIR, CRUSTY_QUARANTINE, etc.) even though the registry metadata declared no required env vars/credentials. The dashboard sync of installed-skill metadata and scan results is plausible for this product, but the missing declaration of the API key and inconsistent env-var naming (CRUSTY_* vs CLAWGUARD_*) is an incoherence and a transparency issue.
Instruction Scope
Runtime instructions direct the agent to run setup.sh which installs ClamAV, run many scripts, and to create cron jobs automatically. SKILL.md explicitly instructs the agent to 'do this immediately after first install — don't wait for the user to ask', and to automatically configure recurring cron jobs (including a 5-minute heartbeat and skill-sync). That grants the skill the ability to schedule persistent tasks and periodically push data to the remote dashboard if an API key is set. Additionally, a pre-scan detected a prompt-injection pattern (ignore-previous-instructions) in SKILL.md, which is a red flag for instruction-manipulation attempts. Even if the cron scheduling and pushes are within a security tool's scope, the instructions go beyond a passive helper and instruct autonomous configuration and regular outbound communications.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package bundle contains multiple scripts (setup.sh, install_clamav.sh, and monitoring/audit scripts). That is not inherently malicious, but because setup.sh will install ClamAV and may modify system state, you should inspect setup.sh and install_clamav.sh before running. No suspicious external download URLs were flagged in the provided excerpts, but full install scripts were truncated in the listing — review them carefully before executing.
Credentials
Although the registry metadata lists no required env vars, the SKILL.md and scripts clearly reference several environment variables (CRUSTY_API_KEY, CRUSTY_DASHBOARD_URL, CLAWGUARD_* variants, CRUSTY_QUARANTINE, CLAWGUARD_WORKSPACE, etc.). The skill will push scan results, heartbeats, and skill-inventory data to a remote dashboard when an API key is present. Exporting an API key grants periodic outbound data transfer (including skill inventory, scan results, and possibly file path metadata). The discrepancy between declared and referenced env vars and inconsistent naming is an incoherence you should resolve before trusting the skill with credentials.
Persistence & Privilege
The skill recommends and automates creation of cron jobs that run regularly (every 5 minutes, daily, weekly, monthly) and a bi-daily ClawHub sync. These scheduled tasks create persistent behavior on the host (heartbeats, scans, syncs). While this is reasonable for a monitoring tool, SKILL.md's wording ('do this immediately... don't wait for the user to ask' and 'automatically configures recurring scans when your agent first uses the skill') indicates the skill intends to set up persistent scheduled work autonomously. That persistent presence combined with outbound dashboard sync increases the blast radius if the skill or dashboard is untrusted. The skill is not marked always:true, but it still asks to establish persistent cron jobs.
Scan Findings in Context
[prompt-injection-ignore-previous-instructions] unexpected: A prompt-injection pattern ('ignore-previous-instructions') was detected in SKILL.md. This is not expected for a benign configuration doc and may indicate an attempt to manipulate agent instruction handling. Treat the SKILL.md content as potentially adversarial until reviewed.
What to consider before installing
Do not run setup.sh or create the recommended cron jobs on a production host until you review the code and configuration. Steps to evaluate safely:
- Inspect setup.sh and install_clamav.sh locally (or in an isolated VM/container) to see exactly what they install and what system files they modify. Look for any network calls, downloads, or commands that create persistence beyond cron.
- Review scripts that push data to the dashboard (dashboard.sh, clawhub_sync.py) to confirm what is sent. clawhub_sync.py computes file hashes and collects installed-skill paths; decide whether you are comfortable sharing that with crustysecurity.com.
- Do not set CRUSTY_API_KEY (or CLAWGUARD_API_KEY) until you trust the dashboard operator. With a key set the skill will push heartbeats and results on a schedule.
- Before granting scheduling privileges, examine the exact cron payloads the skill will create (use openclaw cron list / create steps manually). Avoid automated, immediate cron creation; create cron jobs manually after inspection if you accept them.
- Because SKILL.md contains a prompt-injection pattern, treat the skill's instructions as potentially trying to influence agent behavior beyond the declared scope. Run the skill in an isolated environment first and monitor outbound network traffic while testing.
- If you need on-host scanning only, consider running scan_file.sh and audit_skill.sh interactively (without enabling dashboard/API key or cron jobs) and verify outputs.
If you want, I can: (1) highlight specific lines in setup.sh and install_clamav.sh for risky operations, (2) extract and summarize what the dashboard push payloads contain, or (3) produce safe, minimal cron payloads you can create manually.Like a lobster shell, security has layers — review code before you run it.
latestvk97by5e50efhzc177kn57dyq298195hk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsbash, python3