Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawGuard-Shield

v3.0.0

ClawGuard Shield v3 - Active defense with prompt injection detection, intent validation, zero-width character detection, and intent integrity verification

⭐ 0· 29·0 current·0 all-time

by@stardreaming

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

Name, README, SKILL.md, and most code implement a prompt-injection detection/hardening tool which is coherent. However src/shield.js requires '../../shared/rules/interceptor-rules.js' (a module not included in the skill manifest) which implies a dependency on a host-provided or sibling file that is not documented. The CLI also offers harden/fix operations that read and write arbitrary config files; that capability fits the stated purpose but increases the sensitivity of what the skill can touch. The external require and undocumented expectations are disproportionate to the published metadata and are unexplained.

Instruction Scope

SKILL.md describes only input scanning and producing SAFE/LOW_RISK/etc. The code implements that, plus 'harden' and 'fix' flows that read a config file path (or process.env.OPENCLAW_CONFIG) and write hardened configs. The manifest declares no required config paths or env vars, but the runtime will read user-supplied filesystem paths and an undeclared OPENCLAW_CONFIG environment variable. That means the skill can read and modify files outside the narrow 'check this text' scope in ways not documented in SKILL.md.

✓

Install Mechanism

No install spec and no external downloads; the skill is instruction+code only and has no package dependencies declared. This lowers supply-chain risk. There are no brew/npm/install URLs or extracted archives in the manifest.

Credentials

The registry metadata lists no required env vars, yet the CLI/code reads process.env.OPENCLAW_CONFIG as a fallback and will read/write arbitrary config paths passed on the command line. The skill also expects a shared rules module outside its package. Requesting access to filesystem paths and relying on an undeclared env var is disproportionate to a simple input-scanner and should be documented and justified by the author.

Persistence & Privilege

always:false (good), but the code's dependency on '../../shared/...' suggests it may attempt to access files outside its own package (potentially other skills' or platform-shared data). The skill can read and write configuration files supplied by the user; combined with the undocumented external dependency, this raises privilege and data-exposure concerns that should be clarified. It does not declare altering other skills, but the path access is anomalous.

Scan Findings in Context

[ignore-previous-instructions] expected: SKILL.md intentionally lists phrases like 'ignore previous instructions' because the skill is detecting prompt-injection and jailbreak phrases. Presence of this string is expected, but note the pre-scan flagged it as a potential injection attempt to manipulate evaluations — review to ensure SKILL.md does not attempt to alter evaluator behavior.

[you-are-now] expected: The phrase 'you are now' appears in the role-hijack detection examples. This is expected for a detection tool, but the evaluator should confirm these examples are passive (patterns only) and not instructions intended to change agent state.

[unicode-control-chars] expected: The SKILL.md explicitly documents zero-width and RTL override characters as detection targets; this explains the flag. Still, zero-width/unicode-control patterns in SKILL.md are both normal and sensitive — verify code handling is correct to avoid false negatives/positives.

What to consider before installing

What to check before installing or enabling this skill: - Source trust: The package lists no homepage and owner identity is opaque. Prefer installing only from a trusted source. - Inspect the external dependency: src/shield.js requires '../../shared/rules/interceptor-rules.js' which is not in the manifest. Ask the author where that file comes from and review its contents; it could grant the skill access to shared platform files or include unexpected logic. - Environment variable: The code uses process.env.OPENCLAW_CONFIG though no env vars are declared. Confirm whether the skill will read agent/system config from that path and ensure it won't be pointed at sensitive files (e.g., real agent credentials or system configs). - File access: The 'harden' and 'fix' commands read and write config files. Only run these commands with explicit, non-sensitive test configs; do not point to system or credential-containing files unless you have reviewed the code and outputs. - Run in a sandbox first: Execute the CLI in an isolated environment to observe behavior and any filesystem changes. Confirm no network calls or exfiltration occur (there are no network dependencies declared, but manual verification is prudent). - Ask for documentation: Request that the maintainer document the shared rules dependency, the exact file/format expected for OPENCLAW_CONFIG, and the exact modifications performed by the harden/fix flows. Given the incoherences (external require and undeclared env usage), treat this skill as 'suspicious' until the above clarifications and code reviews have been completed.

SKILL.md:448

Prompt-injection style instruction pattern detected.

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767x6nfvsxqbsc9xfxmtn0t1846c6b

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

ClawGuard-Shield

License

Comments