Skillv1.0.0

ClawScan security

Sentinel- OpenClaw Runtime Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 1:59 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared features are broadly consistent with a local runtime security guardian, but there are a few metadata and operational mismatches you should review before installing (wallet/payments, build/install steps, and where it will read/write on your machine).
Guidance: This package is coherent: it is a local runtime monitor that must read your OpenClaw skill directory, inspect files, and (if you enable premium/daemon) inspect process/network state and manage a local wallet for tiny payments. Before installing: 1) Prefer building from the included source and verify checksums if using a release binary. 2) Review and confirm the payment recipient address and set 'wallet set-limit' to 0 (or a small value) to prevent automatic auto-approvals. 3) Understand it will create ~/.sentinel (machine.key, keystore, baselines, logs) and may move quarantined skill folders — back up any important files first. 4) Note small metadata inconsistencies (registry marked instruction-only vs. included source and build steps, and mixed license text across files) — ask the author or verify the upstream repository if that matters to you. 5) If you need purely offline, free-tier behavior, run with --offline (daemon/egress/process features are premium and can be disabled).
Findings: [ignore-previous-instructions] expected: The pre-scan detected the prompt-injection pattern token because the skill ships an injection-pattern library and documents prompt-injection examples; that is expected and is part of its detection rules rather than evidence it will perform prompt-injection itself.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and Rust sources implement the claimed features (integrity hashing, prompt-injection scanning, credential scanning, daemon/egress/process monitoring, and optional VirusTotal lookups). However the registry metadata said 'instruction-only' / no install spec while the SKILL.md and README explicitly instruct building/installing a compiled 'sentinel' binary and reference GitHub releases — a mismatch to be aware of. Declared optional env vars (SENTINEL_WALLET, SENTINEL_RPC, SENTINEL_VT_KEY) align with the premium features and VirusTotal integration.
Instruction Scope: noteRuntime instructions and source show the binary will scan ~/.openclaw/skills, read SKILL.md files, inspect SOUL.md and MEMORY.md, compute hashes, write baselines and logs to ~/.sentinel, and (when daemon/egress features enabled) read process info (/proc, lsof) and network connections. Those actions are coherent with the stated purpose but are high-privilege (file system and process inspection). The SKILL.md/payment flow also describes automatically signing x402/USDC payments with the local wallet (though price is shown beforehand); this deserves explicit user attention/configuration.
Install Mechanism: noteNo install spec is present in the registry, but the README and SKILL.md provide 'cargo build' and GitHub release download instructions. Sources are included so building locally is possible (lower risk if you build), and release URLs point to GitHub releases (reasonable). Still, building/placing a binary affects disk and executable state — verify checksums and optionally build from source rather than using a prebuilt binary.
Credentials: noteThe skill requests only optional env vars (wallet, RPC, VirusTotal key) that are relevant. It will create and store a local machine secret, encrypted wallet files, baselines, logs, and quarantine directories under ~/.sentinel, and it reads ~/.openclaw skill files. Those accesses are proportional to its goals but are sensitive (access to skill directories, process sockets, and local wallet). No unexpected external credentials are requested.
Persistence & Privilege: okalways:false and user-invocable:true. The skill stores its own state under ~/.sentinel, may run a daemon if you enable premium, and can move skills to a quarantine directory — all within its described scope. It does not request force-inclusion or system-wide configuration access beyond its own files, though daemon mode implies continuous monitoring if enabled.