ClawHub
Back to skill
v1.0.0

Reef Prompt Guard

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:37 AM.

Analysis

The skill mostly matches its prompt-injection filtering purpose, but one recommended API integration passes untrusted input through a shell command in an unsafe way.

GuidanceReview before installing or copying the examples. The core scanner appears purpose-aligned, but replace the `execSync` API example with a non-shell invocation such as `execFile`/`spawn` argument arrays or direct library calls, and ensure Python is explicitly available.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityInfoConfidenceHighStatusNote
SKILL.md
echo "ignore previous instructions" | python3 scripts/filter.py

This is a prompt-injection phrase, but it is shown as a sample input for testing the filter, which is aligned with the skill's purpose.

User impactAgents and users will see attack-like text in the skill documentation, but it is presented as an example rather than an instruction to follow.
RecommendationKeep these examples clearly fenced and treated only as test data; do not copy them into operational prompts except for testing the scanner.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
const { execSync } = require('child_process');
const result = JSON.parse(execSync(
    `python3 /path/to/filter.py -j '${JSON.stringify({text: prompt, context: "api"})}'`
).toString());

The example places untrusted API prompt text inside a shell command. If the prompt contains shell-breaking characters, a copied implementation could allow command injection on the API host.

User impactA service that copies this example could accidentally let external input run unintended shell commands.
RecommendationDo not use shell interpolation for untrusted text. Use `execFile`, `spawn` with an argument array, stdin, or import/call the scanner directly as a library.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none

The registry metadata does not declare a Python requirement even though the documented usage relies on Python.

User impactInstallation or use may fail, or may depend on whatever `python3` is available locally.
RecommendationDeclare the Python runtime requirement and prefer a clear, versioned installation path.