Clawguard Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This DLP skill is purpose-aligned, but it needs review because it installs a persistent service that sees all outbound tool-call data and has fail-open, redaction, and local-service boundary weaknesses.
Before installing, verify that you trust the PyPI ClawWall package, bind the service to 127.0.0.1 unless remote access is truly needed, consider setting blockOnError=true, test redaction with multi-argument tool calls, and make sure you know how to disable the plugin and system service.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the service crashes, is not running, or is unreachable, sensitive data may leave the machine while the user believes DLP is active.
The DLP hook fails open by default when the local scanner is unreachable, so outbound calls can proceed unscanned despite the skill’s hard-blocking framing.
const DEFAULT_CONFIG: PluginConfig = { serviceUrl: "http://127.0.0.1:8642", blockOnError: false, timeoutMs: 5000 }; ... catch (err) { ... return { allow: true }; }Default to fail-closed for a DLP security control, or clearly warn users and require an explicit choice; expose health status before allowing outbound calls.
Secrets in later string arguments may remain unredacted, or a tool call may be corrupted by moving combined content into the wrong field.
The plugin scans a combined serialization of all arguments but, on redaction, replaces only the first string argument with the entire redacted content.
const content = extractContent(context.args); ... modifiedArgs[key] = scan.content; break; // Only replace the first string arg for now
Map findings and redactions back to each original argument, or block the call whenever safe per-argument redaction cannot be guaranteed.
Depending on firewall and service authentication, other local-network clients may be able to reach the scan API or dashboard for a service that handles sensitive content.
A service that receives outbound tool-call content is configured to bind to all network interfaces by default, not just localhost.
| **Python service** (port 8642) | Receives every outbound tool call for scanning | ... | `CLAWGUARD_HOST` | `0.0.0.0` | Bind address |
Bind to 127.0.0.1 by default, require authentication for the dashboard/API, and document any intentional remote-access configuration.
If another local process occupies that port, the plugin may send outbound tool-call content to the wrong service.
The startup hook treats any listener on port 8642 as the ClawWall service without verifying a health response or service identity.
const alreadyRunning = await isPortInUse(PORT); if (alreadyRunning) { log(`Port ${PORT} already in use — ClawWall service appears to be running`); return; }Verify the service health endpoint and an expected identity/version token before trusting the port, and fail closed if verification fails.
The most sensitive component—the service that receives every outbound tool call—may be code outside the reviewed artifact and could differ from the declared version.
The installer downloads the core Python service from PyPI and falls back to an unpinned latest version, while the Python service source is not included in the provided files.
if pip install "clawwall==$CLAWWALL_VERSION" ... elif pip install clawwall ...
Vendor or include the service source, remove the unpinned fallback, publish verifiable checksums, and make the package provenance clear in registry metadata.
After installation, the scanner can continue running in the background and affect future OpenClaw tool calls.
The skill discloses persistent auto-start behavior for the DLP service, which is purpose-aligned but long-running.
The `gateway:startup` hook auto-starts the service whenever OpenClaw boots ... **systemd/launchd service** | Fallback auto-start via OS service manager |
Install only if persistent DLP is desired, and document clear disable/uninstall steps for the hook, plugin registration, and systemd/launchd service.