ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawGuard-Detector

v3.0.0

ClawGuard Threat Detector - Real-time behavioral monitoring, attack pattern detection, MITRE ATT&CK mapping, and AI-powered anomaly detection for OpenClaw ru...

0· 17·0 current·0 all-time
by@stardreaming
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/SKILL.md claim real-time command, file and network monitoring that requires system-level hooks (auditd, network sniffing, access to logs). The shipped code implements pattern-based analysis functions (analyzeCommand, analyzeFileAccess) but contains no actual auditd/network capture integration. SKILL.md lists required system binaries (node, python3, auditd, ss, grep, sha256sum, python libs) yet the registry metadata shows no required binaries and package.json has no native deps — this mismatch suggests the skill overclaims capabilities it doesn't implement or expects host-side integration not declared.
!
Instruction Scope
SKILL.md explicitly instructs checking sensitive paths (~/.ssh, ~/.aws, /etc/shadow, shell histories) and persisting learning data to .safety/ATTEMPTS.md. While the code exposes analyzeFileAccess and analyzeCommand APIs rather than directly reading files, the documentation encourages reading logs/history and updating safety rules. Those instructions grant broad discretion to read/write sensitive files and to create dynamic rules, which is scope-creep relative to a simple analyzer and could lead to unintended access or persistence.
Install Mechanism
No install specification is provided (instruction-only plus included JS files). That limits remote install risk because nothing is downloaded during install. However the included CLI attempts to spawn a sibling script (../self-improving-safety/cli.js) at runtime, which effectively delegates execution to whatever exists at that path.
Credentials
The package requests no environment variables or platform config paths in the registry metadata. That is coherent with the included code which does not require API keys. However the SKILL.md expects read access to process logs, command history, network monitoring and to write persistent safety rules — privileges that are not declared. Also the CLI example references an API key in examples (curl ... $API_KEY) but does not require or manage secrets, which is inconsistent.
!
Persistence & Privilege
The skill can persist 'self-learned' rules (writes to .safety/ATTEMPTS.md per docs) and the CLI actively spawns a sibling 'self-improving-safety' CLI when threats are detected. That means at runtime it may write files and execute local code outside its own module. While 'always' is false, autonomous invocation is permitted; combining that with file writes and child-process execution increases the attack surface if untrusted code exists in the environment.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md lists 'ignore previous instructions' as an example of prompt-injection to detect; the static scanner flagged that phrase. Its presence in documentation is expected (it's a detection target), but any skill that also contains mechanisms to write rules or execute sibling scripts should be reviewed carefully to ensure it isn't trying to manipulate prompts or evaluation flows at runtime.
What to consider before installing
This skill looks like a defender tool but has inconsistencies and some risky behaviors. Before installing or enabling it broadly: 1) Don't grant it broad filesystem or network privileges until you review it — it encourages reading ~/.ssh, ~/.aws, /etc/shadow and writing to .safety/. 2) Inspect or sandbox the 'self-improving-safety/cli.js' path (the CLI will spawn a sibling CLI if present); an attacker could plant code there to get executed. 3) Verify whether your environment provides the claimed system integrations (auditd, network capture). Right now the code lacks those integrations despite the documentation claiming them. 4) If you test it, run it in an isolated environment or container without sensitive credentials, and disable any auto-blocking or rule-persistence features until you’re satisfied. 5) Ask the author for clarification about required host privileges and for the code of the self-improving-safety module; lack of clear justification for filesystem/network access is the main reason this is 'suspicious'.
cli.js:42
Shell command execution detected (child_process).
!
SKILL.md:58
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743y26zvh9xmp8893462w87n847bbf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments