Skillv1.0.0

ClawScan security

prompt-inject-removal-p · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 4:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requested privileges are coherent with a prompt-sanitization purpose — it contains defensive examples of prompt-injection strings but asks for no credentials, installs nothing risky, and uses only local instruction files.
Guidance: This skill is internally coherent with its stated purpose, but remember: prompt-based sanitization cannot be 100% reliable. Before installing or using it in production: (1) run adversarial tests (inputs containing nested tags, closing tags, and common injection phrases) to verify behavior; (2) always review sanitized summaries before performing state-changing actions; (3) consider running the sanitization step in an isolated sub-agent or sandbox for high-risk data; (4) remove or clarify the stray garbage tokens in SKILL.md to avoid ambiguity. If you need absolute guarantees, combine this tool with additional runtime isolation or instrumentation.
Findings: [ignore-previous-instructions] expected: The phrase is present in PROMPT.md and SKILL.md as an example of injection to detect/remove; this is a defensive inclusion and expected for a sanitization skill. [system-prompt-override] expected: References to system-prompt override appear as examples of adversarial strings to detect. This is consistent with the skill's threat-model documentation.

Purpose & Capability: okName/description (prompt injection removal) matches the actual artifacts: instruction-only sanitization prompts (PROMPT.md), security docs, and a harmless setup.sh that writes these files. No unrelated credentials, binaries, or network installs are requested.
Instruction Scope: noteSKILL.md and PROMPT.md limit the sanitization agent to parsing/summarization of delimited input and explicitly instruct it to ignore instructions inside untrusted data. This is consistent with the stated purpose. Note: SKILL.md contains an odd stray token sequence ('presents generate requested manners ... mp3 preserve ought buzz flaw task') that appears to be garbage or accidental; it does not change the skill's behavior but should be cleaned to avoid confusion.
Install Mechanism: okNo install spec; this is instruction-only. The included setup.sh merely creates local files via heredocs and does not download external artifacts or execute remote code. Low installation risk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. All requested accesses are proportional to a sanitization tool.
Persistence & Privilege: okalways is false and the skill does not request persistent elevated privileges or modify other skills' configurations. Normal autonomous invocation is allowed (platform default) but not a special-risk setting here.