Moses Audit

PassAudited by ClawScan on May 10, 2026.

Overview

This skill is a local audit-ledger utility that persistently logs agent actions and uses an optional local HMAC secret, with no artifact evidence of network exfiltration or destructive behavior.

This appears benign for a local governance/audit-log skill. Before installing, make sure you want agents to create persistent local audit entries, use a unique MOSES_OPERATOR_SECRET if enabling attestations, and avoid logging secrets, private keys, tokens, PII, or detailed confidential task content.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI01: Agent Goal Hijack

What this means

The agent may create a local audit entry before responding, even when the user did not explicitly ask for logging in that turn.

Why it was flagged

This directs the agent to add an audit-log step before final responses. That is purpose-aligned for an audit skill, but it is a broad instruction that affects normal agent behavior.

Skill content

**You must log before your final response.** Skipping the audit is a constitutional violation. It will be caught by the Observer and flagged.

Recommendation

Install only if you want automatic local audit logging; otherwise disable the skill or require explicit user invocation.

Low

#ASI03: Identity and Privilege Abuse

What this means

A local secret is used to prove ledger state; if reused or weak, the attestation could help someone verify guesses against that secret.

Why it was flagged

The helper reads an operator secret from the environment to derive a local HMAC attestation. The provided code does not transmit the secret or write the raw secret to the ledger.

Skill content

operator_secret = os.environ.get("MOSES_OPERATOR_SECRET")
    if operator_secret:
        recent = get_recent_hashes(10)
        entry["attestation"] = compute_attestation(state, recent, operator_secret)

Recommendation

Use a unique, high-entropy MOSES_OPERATOR_SECRET and do not reuse API keys, wallet secrets, or other provider credentials for it.

Low

#ASI06: Memory and Context Poisoning

What this means

Task details may remain in a local append-only ledger and could expose sensitive context if the agent or user includes it in the detail field.

Why it was flagged

The skill stores a persistent local audit ledger with freeform details. The artifact does warn against logging secrets or PII, which reduces but does not eliminate privacy risk.

Skill content

File: `~/.openclaw/audits/moses/audit_ledger.jsonl` ... The `detail` field is freeform. Do not log raw secrets, private keys, tokens, or PII in this field.

Recommendation

Keep audit details high level, avoid secrets and personal data, and periodically review local ledger file permissions and retention needs.