SentiClaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
Before installing, decide where the audit database should live, who can read it, whether external alerts should be enabled, and narrow allowed_dirs if you use the access-control helper. Do not rely on the skill as a complete security guarantee; use it alongside normal permissions, monitoring, and review. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Security events and some blocked-message details can persist locally in senticlaw_audit.db or the configured audit path.
Blocked injection events are written to the audit logger with layer details; sanitizer details include cleaned input text, so the local audit database may retain some message content.
self.auditor.log(AuditEvent.INJECTION_ATTEMPT, msg.session_id, msg.sender_id, msg.channel, "sanitizer", lr.risk_level.value, lr.details)
Use a protected audit_db_path, set retention/cleanup procedures, and disable or modify auditing if message-content retention is not acceptable.
Configured alert channels may receive session, sender, and channel metadata about detected security events.
When alert_channel_id is set, threat alerts are sent through OpenClaw messaging to Discord, Telegram, Slack, WhatsApp, or another configured channel.
["openclaw", "message", "send", "--channel", alert_ch, "--to", to_arg, "--message", msg]
Only configure alerts to private, trusted destinations and verify the OpenClaw messaging account and recipient before enabling alerts.
If used to gate file access without configuration, the helper may treat many private home-directory paths as allowed.
The access-control helper allows the whole user home directory by default if the developer does not narrow allowed_dirs.
allowed_dirs: list = field(default_factory=lambda: ["/tmp", os.path.expanduser("~")])Set allowed_dirs to the smallest project-specific directories needed before relying on check_path for file-access decisions.
Users may overestimate how complete the protection is and skip other security controls or review.
The documentation uses absolute safety wording for a regex/configuration-based protection layer.
return safe.response # guaranteed clean
Treat SentiClaw as one defensive layer, test it against your own threat cases, and keep normal access controls and human review for sensitive workflows.