Input Guard
v1.0.1Scan untrusted external text (web pages, tweets, search results, API responses) for prompt injection attacks. Returns severity levels and alerts on dangerous content. Use BEFORE processing any text from untrusted sources.
⭐ 5· 2.8k·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims a local, pattern-first scanner (no deps) but the codebase also includes optional LLM analysis, taxonomy refresh, and integrations that use environment API keys and the 'openclaw' CLI. The skill metadata declared no required env vars or binaries, yet scripts refer to OPENAI_API_KEY, ANTHROPIC_API_KEY, PROMPTINTEL_API_KEY, OPENCLAW_ALERT_CHANNEL, and call the 'openclaw' CLI and expect other skill scripts (molthreats.py) in the workspace. Those runtime capabilities are reasonable for LLM-powered analysis and alerting, but they are not declared up front — a mismatch that matters for least privilege.
Instruction Scope
SKILL.md and INTEGRATION.md keep to the stated purpose (pattern scanning, optional LLM analysis, optional community reporting). However the runtime instructions include: (a) optionally sending the full untrusted text to external LLM providers; (b) refreshing taxonomy from a remote API when PROMPTINTEL_API_KEY is set; (c) sending alerts via an OpenClaw channel by calling an openclaw CLI; and (d) optionally running a report script that invokes a molthreats script elsewhere in the workspace. These actions are within the stated goal but involve transmitting fetched content and interacting with local agent config / other skills — things a user should explicitly expect before enabling.
Install Mechanism
No install spec is provided (code is shipped in the skill directory). That reduces silent network installs, which is good. requirements.txt lists 'requests' for LLM/taxonomy features and README instructs pip install if LLM modes are used. No external non-standard download URLs are present. Note: the skill runs subprocesses (openclaw) and expects other local scripts; those cross-skill dependencies increase operational coupling but are not an install-time network risk.
Credentials
The skill metadata declares no required environment variables, but the code reads and uses multiple secrets and configuration sources: OPENAI_API_KEY, ANTHROPIC_API_KEY, PROMPTINTEL_API_KEY, OPENCLAW_ALERT_CHANNEL, and OPENCLAW_ALERT_TO. The llm_scanner also attempts to read OpenClaw gateway config via a subprocess call and extract API keys from it — which can surface credentials belonging to other skills or the agent. This is disproportionate to a purely local pattern scanner and should be explicitly declared and consented to before enabling LLM/alert/reporting features.
Persistence & Privilege
always:false and no automatic installs reduce privilege concerns. README/UNINSTALL text claims the skill may add a section to AGENTS.md during installation, but no explicit installer script is included — an inconsistency to clarify. The larger risk is runtime: because the skill can be invoked autonomously (platform default) and can call the openclaw CLI (to read config or send messages) it could access workspace-level data if environment or openclaw config is available. That access, combined with LLM/reporting paths, increases blast radius though the skill does not request permanent 'always' inclusion.
Scan Findings in Context
[ignore-previous-instructions] expected: The phrase appears in taxonomy/examples and pattern rules (explicit prompt-injection examples). This is expected content for a prompt-injection scanner and not evidence of malicious intent on its own.
[you-are-now] expected: Role-manipulation examples (e.g., 'you are now ...') are intentionally present in detection patterns and test cases; expected for this skill.
[system-prompt-override] expected: Taxonomy and examples reference system prompt override phrases. Detection finds these examples inside the skill docs and pattern lists, which is deliberate for testing and documentation.
What to consider before installing
This skill implements a useful, pattern-first prompt-injection scanner and includes optional LLM and community-reporting features — but there are a few important mismatches and operational risks you should consider before installing or enabling LLM/alert/reporting modes:
1) Undeclared credentials and CLI dependency: The skill metadata declares no required env vars or binaries but the code uses OPENAI_API_KEY, ANTHROPIC_API_KEY, PROMPTINTEL_API_KEY, and calls the 'openclaw' CLI. If you enable LLM or alert/reporting features the skill may read environment variables or probe OpenClaw gateway config to find keys. Only enable those features if you trust the code and are willing to expose those keys.
2) Potential exposure of other workspace keys: llm_scanner tries to obtain API keys from the openclaw gateway config (via subprocess). If your OpenClaw config contains other services' keys, the skill could surface them at runtime. Review/limit what the openclaw CLI exposes or avoid running LLM/auto-detection that triggers that path.
3) External network behavior: Enabling --llm or taxonomy refresh will send the scanned text (potentially sensitive) to third-party APIs (OpenAI/Anthropic/PromptIntel). If you cannot send fetched content to those providers, stick to pattern-only mode (which is zero-dependency and runs locally).
4) Cross-skill actions: The report-to-molthreats.sh script expects a molthreats.py in another skill's workspace. Confirm you want automatic cross-skill reporting and that the target script is trusted. The skill's docs mention adding AGENTS.md entries during installation — verify whether that is automatic in your environment.
5) What to do before enabling: (a) Inspect scripts/scan.py, llm_scanner.py, and report-to-molthreats.sh yourself; (b) Run pattern-only scans locally (no API keys) to verify behavior; (c) If you need LLM analysis, create dedicated LLM keys with limited scope and do not leave unrelated keys in your openclaw config; (d) Set OPENCLAW_ALERT_CHANNEL only if you want alerts sent to that destination; (e) If you require strict isolation, do not enable --llm, PROMPTINTEL_API_KEY, or the alert/reporting features.
If you want, I can (1) list the exact lines that call the 'openclaw' CLI and where environment keys are read, or (2) suggest a minimal safe configuration (pattern-only) and show how to run it.Like a lobster shell, security has layers — review code before you run it.
latestvk97bd9yxs11xp6hvsw9k3gbb5s80c86h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.