Skillv3.0.0

ClawScan security

ClawGuard-Shield · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 4, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (prompt-injection defense) matches most of its code and docs, but there are unexplained/incoherent pieces — notably a required external rules module (outside the package) and use of an undeclared environment variable — that warrant caution before installing.
Guidance: What to check before installing or enabling this skill: - Source trust: The package lists no homepage and owner identity is opaque. Prefer installing only from a trusted source. - Inspect the external dependency: src/shield.js requires '../../shared/rules/interceptor-rules.js' which is not in the manifest. Ask the author where that file comes from and review its contents; it could grant the skill access to shared platform files or include unexpected logic. - Environment variable: The code uses process.env.OPENCLAW_CONFIG though no env vars are declared. Confirm whether the skill will read agent/system config from that path and ensure it won't be pointed at sensitive files (e.g., real agent credentials or system configs). - File access: The 'harden' and 'fix' commands read and write config files. Only run these commands with explicit, non-sensitive test configs; do not point to system or credential-containing files unless you have reviewed the code and outputs. - Run in a sandbox first: Execute the CLI in an isolated environment to observe behavior and any filesystem changes. Confirm no network calls or exfiltration occur (there are no network dependencies declared, but manual verification is prudent). - Ask for documentation: Request that the maintainer document the shared rules dependency, the exact file/format expected for OPENCLAW_CONFIG, and the exact modifications performed by the harden/fix flows. Given the incoherences (external require and undeclared env usage), treat this skill as 'suspicious' until the above clarifications and code reviews have been completed.
Findings: [ignore-previous-instructions] expected: SKILL.md intentionally lists phrases like 'ignore previous instructions' because the skill is detecting prompt-injection and jailbreak phrases. Presence of this string is expected, but note the pre-scan flagged it as a potential injection attempt to manipulate evaluations — review to ensure SKILL.md does not attempt to alter evaluator behavior. [you-are-now] expected: The phrase 'you are now' appears in the role-hijack detection examples. This is expected for a detection tool, but the evaluator should confirm these examples are passive (patterns only) and not instructions intended to change agent state. [unicode-control-chars] expected: The SKILL.md explicitly documents zero-width and RTL override characters as detection targets; this explains the flag. Still, zero-width/unicode-control patterns in SKILL.md are both normal and sensitive — verify code handling is correct to avoid false negatives/positives.

Review Dimensions

Purpose & Capability: concernName, README, SKILL.md, and most code implement a prompt-injection detection/hardening tool which is coherent. However src/shield.js requires '../../shared/rules/interceptor-rules.js' (a module not included in the skill manifest) which implies a dependency on a host-provided or sibling file that is not documented. The CLI also offers harden/fix operations that read and write arbitrary config files; that capability fits the stated purpose but increases the sensitivity of what the skill can touch. The external require and undocumented expectations are disproportionate to the published metadata and are unexplained.
Instruction Scope: concernSKILL.md describes only input scanning and producing SAFE/LOW_RISK/etc. The code implements that, plus 'harden' and 'fix' flows that read a config file path (or process.env.OPENCLAW_CONFIG) and write hardened configs. The manifest declares no required config paths or env vars, but the runtime will read user-supplied filesystem paths and an undeclared OPENCLAW_CONFIG environment variable. That means the skill can read and modify files outside the narrow 'check this text' scope in ways not documented in SKILL.md.
Install Mechanism: okNo install spec and no external downloads; the skill is instruction+code only and has no package dependencies declared. This lowers supply-chain risk. There are no brew/npm/install URLs or extracted archives in the manifest.
Credentials: concernThe registry metadata lists no required env vars, yet the CLI/code reads process.env.OPENCLAW_CONFIG as a fallback and will read/write arbitrary config paths passed on the command line. The skill also expects a shared rules module outside its package. Requesting access to filesystem paths and relying on an undeclared env var is disproportionate to a simple input-scanner and should be documented and justified by the author.
Persistence & Privilege: concernalways:false (good), but the code's dependency on '../../shared/...' suggests it may attempt to access files outside its own package (potentially other skills' or platform-shared data). The skill can read and write configuration files supplied by the user; combined with the undocumented external dependency, this raises privilege and data-exposure concerns that should be clarified. It does not declare altering other skills, but the path access is anomalous.