ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sentinel- OpenClaw Runtime Security

Runtime security guardian for OpenClaw agents. Use this skill whenever the user mentions security, skill safety, prompt injection, malware, suspicious behavi...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 31 · 0 current installs · 0 all-time installs
by@spaceman420urdog-afk
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md and Rust sources implement the claimed features (integrity hashing, prompt-injection scanning, credential scanning, daemon/egress/process monitoring, and optional VirusTotal lookups). However the registry metadata said 'instruction-only' / no install spec while the SKILL.md and README explicitly instruct building/installing a compiled 'sentinel' binary and reference GitHub releases — a mismatch to be aware of. Declared optional env vars (SENTINEL_WALLET, SENTINEL_RPC, SENTINEL_VT_KEY) align with the premium features and VirusTotal integration.
Instruction Scope
Runtime instructions and source show the binary will scan ~/.openclaw/skills, read SKILL.md files, inspect SOUL.md and MEMORY.md, compute hashes, write baselines and logs to ~/.sentinel, and (when daemon/egress features enabled) read process info (/proc, lsof) and network connections. Those actions are coherent with the stated purpose but are high-privilege (file system and process inspection). The SKILL.md/payment flow also describes automatically signing x402/USDC payments with the local wallet (though price is shown beforehand); this deserves explicit user attention/configuration.
Install Mechanism
No install spec is present in the registry, but the README and SKILL.md provide 'cargo build' and GitHub release download instructions. Sources are included so building locally is possible (lower risk if you build), and release URLs point to GitHub releases (reasonable). Still, building/placing a binary affects disk and executable state — verify checksums and optionally build from source rather than using a prebuilt binary.
Credentials
The skill requests only optional env vars (wallet, RPC, VirusTotal key) that are relevant. It will create and store a local machine secret, encrypted wallet files, baselines, logs, and quarantine directories under ~/.sentinel, and it reads ~/.openclaw skill files. Those accesses are proportional to its goals but are sensitive (access to skill directories, process sockets, and local wallet). No unexpected external credentials are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill stores its own state under ~/.sentinel, may run a daemon if you enable premium, and can move skills to a quarantine directory — all within its described scope. It does not request force-inclusion or system-wide configuration access beyond its own files, though daemon mode implies continuous monitoring if enabled.
Scan Findings in Context
[ignore-previous-instructions] expected: The pre-scan detected the prompt-injection pattern token because the skill ships an injection-pattern library and documents prompt-injection examples; that is expected and is part of its detection rules rather than evidence it will perform prompt-injection itself.
Assessment
This package is coherent: it is a local runtime monitor that must read your OpenClaw skill directory, inspect files, and (if you enable premium/daemon) inspect process/network state and manage a local wallet for tiny payments. Before installing: 1) Prefer building from the included source and verify checksums if using a release binary. 2) Review and confirm the payment recipient address and set 'wallet set-limit' to 0 (or a small value) to prevent automatic auto-approvals. 3) Understand it will create ~/.sentinel (machine.key, keystore, baselines, logs) and may move quarantined skill folders — back up any important files first. 4) Note small metadata inconsistencies (registry marked instruction-only vs. included source and build steps, and mixed license text across files) — ask the author or verify the upstream repository if that matters to you. 5) If you need purely offline, free-tier behavior, run with --offline (daemon/egress/process features are premium and can be disabled).
!
references/threat-model.md:33
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97etv7c9gpak9esrst7xshx3x830hhz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

runtime-sentinel

A runtime security skill for OpenClaw. Defends against the threat landscape exposed by ClawHavoc: backdoored skills, prompt injection via external data, credential exfiltration, and process-level abuse.

Free tier: skill integrity checks, basic injection scanning.
Premium (x402/USDC/Base): continuous daemon monitoring, network egress monitoring, process anomaly detection, full audit log.

Quick start

# One-shot audit of all installed skills (free)
sentinel audit

# Continuous guardian daemon (premium — will prompt for x402 payment)
sentinel daemon start

# Scan a single skill before installing
sentinel check <skill-path-or-clawhub-id>

What runtime-sentinel defends against

See references/threat-model.md for the full threat matrix. In brief:

ThreatFeatureTier
Tampered skill files post-installIntegrity hashingFree
Prompt injection via email/web/skill outputInjection scannerFree
Plaintext secrets in skill dirs / SOUL.mdCredential auditorFree
Unexpected outbound connectionsEgress monitorPremium
Shell commands outside declared behaviorProcess anomalyPremium
Continuous real-time protectionDaemon modePremium

Workflow

1 — First-time setup

# Install the binary (built from scripts/src/)
cargo install --path scripts/ --bin sentinel

# Verify installation and print wallet address
sentinel setup

sentinel setup will:

  • Generate or import a Base wallet (BIP-39, stored in ~/.sentinel/wallet)
  • Print the wallet address so the user can fund it with USDC for premium
  • Run a free baseline audit and print results

2 — On-demand audit (free)

When the user says anything like "scan my skills", "audit", "check for threats":

sentinel audit [--path ~/.openclaw/skills]

Output: a structured report of hash mismatches, injection patterns, and exposed credentials. No payment required.

3 — Single skill check before install (free)

When the user wants to vet a skill before running clawhub install:

sentinel check <skill-directory-or-clawhub-id>

Prints a risk score (LOW / MEDIUM / HIGH / CRITICAL) with findings.

4 — Premium features via x402

When the user asks for daemon mode, egress monitoring, or process anomaly detection, sentinel will automatically:

  1. Hit the sentinel API endpoint
  2. Receive a 402 Payment Required with price in the X-Payment-Request header (typically $0.01–$0.05/day for daemon mode)
  3. Sign the USDC transfer from ~/.sentinel/wallet
  4. Retry the request — access granted for the paid period

The user will see the price before their wallet signs anything. All non-custodial. See references/x402-payment.md for the full payment flow.

5 — Daemon mode (premium)

sentinel daemon start    # runs in foreground, writes to ~/.sentinel/daemon.log
# Run in background from your shell if needed:
#   sentinel daemon start > ~/.sentinel/daemon.log 2>&1 &
#   disown
sentinel daemon status
sentinel daemon stop
sentinel daemon logs     # tail the audit log

The daemon watches:

  • ~/.openclaw/skills/** for file mutations (inotify / FSEvents)
  • ~/.openclaw/SOUL.md and MEMORY.md for unauthorized writes
  • Network connections made by skill subprocesses
  • Child process trees for undeclared shell commands

Alerts are delivered via OpenClaw's notification system and written to the audit log.

Interpreting results

Risk levels

  • LOW: No findings, or informational only (e.g. skill requests network but declares it)
  • MEDIUM: Undeclared permission, suspicious pattern, or stale hash
  • HIGH: Known malicious pattern, credential exposure, or undeclared egress
  • CRITICAL: Active exfiltration attempt, reverse shell indicator, or SOUL.md mutation

What to do on HIGH / CRITICAL

  1. sentinel isolate <skill-name> — quarantines the skill (moves it out of the active skills directory)
  2. Review the finding in ~/.sentinel/audit.log
  3. Check the skill's ClawHub VirusTotal report
  4. If confirmed malicious, clawhub uninstall <skill> and report via sentinel report <skill-name>

Reference files

Read these when you need deeper detail:

  • references/threat-model.md — Full threat matrix and attack descriptions from ClawHavoc and similar campaigns
  • references/x402-payment.md — x402 payment flow, wallet setup, and troubleshooting
  • references/binary-build.md — How to build sentinel from source, cross- compilation targets, CI/CD

Wallet setup for premium features

sentinel wallet show      # print address and USDC balance
sentinel wallet fund      # print QR code and address to send USDC
sentinel wallet export    # export mnemonic for backup (handle carefully)
sentinel wallet recover   # restore from mnemonic on a new machine

Minimum recommended balance for uninterrupted daemon mode: $1 USDC (roughly 20–100 days of coverage depending on scan frequency).

Privacy

sentinel is fully local. No skill content, file paths, or scan results are sent to any server. The only outbound calls are:

  1. x402 payment verification to the Base facilitator (amount + wallet address only)
  2. Optional: VirusTotal hash lookups (hash only, no file content)

Both can be disabled with --offline for air-gapped environments (free tier only in offline mode).

Files

17 total
Select a file
Select a file to preview.

Comments

Loading comments…