Reef Prompt Guard
WarnAudited by ClawScan on May 10, 2026.
Overview
The prompt-injection filter is mostly purpose-aligned, but its JavaScript API integration example uses unsafe shell command construction that could let crafted input run commands.
The core local prompt filter appears coherent for its purpose, and the prompt-injection examples are expected test/reference content. Before installing or reusing it, avoid copying the execSync API example; use a safe subprocess call or module import so untrusted text is never placed inside a shell command.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A server that copies this integration pattern could allow attacker-supplied API input to execute commands on the host.
This example builds a shell command with user-controlled prompt text inside single quotes. If copied into an API handler, a prompt containing a single quote and shell metacharacters could break out of the quoted JSON and execute commands.
const result = JSON.parse(execSync(
`python3 /path/to/filter.py -j '${JSON.stringify({text: prompt, context: "api"})}'`
).toString());Do not use shell interpolation for untrusted input. Call Python with execFile/spawn using an argument array, pass JSON through stdin, or import the scanner as a module instead of constructing a shell command string.