Crusty Security

The skill broadly matches its claimed purpose (on-host scanning + optional dashboard) but contains multiple coherence issues and instructions that could lead to unexpected persistent behavior and data sharing unless you review and control them first.

Do not run setup.sh or create the recommended cron jobs on a production host until you review the code and configuration. Steps to evaluate safely: - Inspect setup.sh and install_clamav.sh locally (or in an isolated VM/container) to see exactly what they install and what system files they modify. Look for any network calls, downloads, or commands that create persistence beyond cron. - Review scripts that push data to the dashboard (dashboard.sh, clawhub_sync.py) to confirm what is sent. clawhub_sync.py computes file hashes and collects installed-skill paths; decide whether you are comfortable sharing that with crustysecurity.com. - Do not set CRUSTY_API_KEY (or CLAWGUARD_API_KEY) until you trust the dashboard operator. With a key set the skill will push heartbeats and results on a schedule. - Before granting scheduling privileges, examine the exact cron payloads the skill will create (use openclaw cron list / create steps manually). Avoid automated, immediate cron creation; create cron jobs manually after inspection if you accept them. - Because SKILL.md contains a prompt-injection pattern, treat the skill's instructions as potentially trying to influence agent behavior beyond the declared scope. Run the skill in an isolated environment first and monitor outbound network traffic while testing. - If you need on-host scanning only, consider running scan_file.sh and audit_skill.sh interactively (without enabling dashboard/API key or cron jobs) and verify outputs. If you want, I can: (1) highlight specific lines in setup.sh and install_clamav.sh for risky operations, (2) extract and summarize what the dashboard push payloads contain, or (3) produce safe, minimal cron payloads you can create manually.