ClawSafe
v1.1.0Multi-layer security detector for AI agents. Blocks prompt injection, jailbreak, XSS, SQL injection, API key leaks, supply chain attacks, and deployment vuln...
⭐ 0· 243·1 current·1 all-time
bybvzgong@silvertime
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (multi-layer security detector) match the code and files: detectors for LLM/Web/API/SupplyChain/Deploy layers, a gateway hook to intercept messages, and rule JSON files. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
SKILL.md and hook/handler.js limit behavior to scanning input/events and returning block messages; instructions and examples are scoped to that purpose. The runtime code only reads files from the skill directory (config, rules, whitelist) and event fields; it does not access system-wide config, external endpoints, or environment secrets.
Install Mechanism
There is no remote download/install step; code is packaged with the skill (package.json + hook). No brew/npm/URL downloads or archive extraction are used. However, the skill is delivered as source code — review is possible and recommended.
Credentials
The skill declares no required environment variables, credentials, or config paths. It does scan for secret-like patterns in user input but does not request secrets itself.
Persistence & Privilege
The hook is designed to be registered as middleware and intercepts 'message:received', 'message:preprocessed', and 'agent:input' events, giving it the ability to block input before the agent handles it. This is expected for a security middleware but is a meaningful privilege — consider scope/placement and testing before enabling in production.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md and examples deliberately include prompt-injection strings (e.g., 'Ignore previous instructions') to demonstrate detection rules; the static scanner flagged these tokens but their presence aligns with the skill's purpose of detecting prompt injection.
Assessment
This package appears coherent: it implements a local regex-based detector and a hook that intercepts messages to block threats. Before installing: 1) Review the rule files and whitelist to avoid undesired false positives (some regexes are broad). 2) Because the skill can block all incoming messages, test in a staging environment and confirm middleware ordering so legitimate inputs are not dropped. 3) Verify the source/author (there is no homepage) — if you cannot validate the publisher, inspect the code yourself (or have security staff do so) before deploying. 4) If you accept it, restrict its use initially to non-production agents and monitor logs to tune thresholds and whitelist entries.Like a lobster shell, security has layers — review code before you run it.
latestvk9747dq38g9s87fj5q7pvgxbwn82hwhf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.