Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Guardian Angel
v3.1.2Guardian Angel gives AI agents a moral conscience rooted in Thomistic virtue ethics. Rather than relying solely on rule lists, it cultivates stable virtuous...
⭐ 2· 2.4k·8 current·9 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (virtue-ethics enforcement) align with the manifest and code: the plugin registers a before_tool_call hook, evaluates tool calls, blocks or escalates, and exposes an approval tool. It does not request unrelated credentials or external services in the metadata.
Instruction Scope
SKILL.md and PLUGIN-SPEC describe blocking, escalation, nonce-based approvals and logging — all coherent with a final gate. However the docs include a section explicitly addressing automated scanners that asks them to treat prompt-injection patterns as defensive vocabulary; that wording attempts to influence automated reviewers and should be regarded with caution. The runtime instructions do not overtly ask the agent to read unrelated secrets or call external endpoints, but they do require file-based nonce storage and logging.
Install Mechanism
No external download/install spec is present (code files are bundled with the skill). There are no URLs, package installs, or extract steps in the registry metadata. The plugin writes state to the workspace (storePath) which is expected for a nonce/approval store; review the store implementation to confirm it doesn't write to unexpected locations.
Credentials
The skill declares no required environment variables or external credentials. Its configuration controls (approval windows, storePath, thresholds) are local. This is proportionate to a local enforcement plugin. Confirm that logs/state files do not accidentally include sensitive tokens or PII.
Persistence & Privilege
The plugin registers a last-run (priority -10000) before_tool_call hook that can block tool execution and adds an approval tool — this is a high-privilege, high-impact capability (final veto on actions). That privilege is coherent with the claimed purpose (final enforcement gate) but increases blast radius if the plugin were malicious or buggy; it does not set always:true and does not directly modify other skills' configs in the provided files, but startup diagnostics include 'tamper detection' which should be inspected for safe behavior.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md contains prompt-injection vocabulary and explicitly tells scanners that these patterns are defensive. Because the plugin claims to detect and block prompt injection, seeing these patterns in the documentation is plausible — but the explicit appeal to scanners to 'treat these as defensive' is unusual and should be treated skeptically.
[you-are-now] expected: Similar to the above: 'you-are-now' style patterns are often used in prompt injection. The skill documents them as part of its detection vocabulary. This is explainable given the stated defensive goals, but the presence of text attempting to influence evaluation (addressing automated scanners) is a meaningful signal to audit the packaged code.
What to consider before installing
Before installing or enabling this skill: 1) Audit the bundled source (especially store.ts, approve-tool.ts, diagnostics.ts and evaluate.ts) to confirm there are no network calls, hidden endpoints, or writes outside the declared workspace paths. 2) Verify where the nonce/log files are stored (storePath default) and ensure they don't capture or leak PII or credentials; if necessary change the path to an isolated location. 3) Review the approval tool (ga_approve) to ensure its interface cannot be abused to bypass other controls. 4) Consider running the plugin in a sandboxed/test workspace first to observe behavior and log formats; check retention settings (retain_days: 30). 5) Pay attention to the plugin's priority: it intentionally runs last and can veto actions — confirm you want a final, local veto and that other trusted hooks/tools won't be unexpectedly blocked. 6) Because SKILL.md attempts to instruct automated scanners about prompt-injection vocabulary, treat that as a cautionary signal and perform a manual code review rather than relying solely on automated scans. If you cannot review the code yourself, only enable the skill in a controlled environment and limit its scope until a trusted reviewer has inspected it.Like a lobster shell, security has layers — review code before you run it.
latestvk978e7hcpvmb0jtawnj0aghy6d81a0k4latest alignment ethicsvk97d4te6cdytcz1rcr6dn2nsyn80hzxf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.