ClawGuard
v1.0.0Security auditor for ClawHub skills. Run before installing ANY skill — scans SKILL.md and scripts for prompt injection, data exfiltration, shell injection, p...
⭐ 0· 476·1 current·1 all-time
byAlmouthana Taha Khalfallah@taha2053
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is described as a local security auditor and requires no env vars or binaries; scan.py and SKILL.md consistently implement scanning of files in a target skill directory. One small mismatch: the 'Repository Trust Score' lists metrics like repo star count and GitHub account age which normally require network/GitHub API access — the package claims 'no external calls', so those metrics must be derived from local git metadata or are aspirational. This is plausible but worth verifying in scan.py if you rely on those exact metrics.
Instruction Scope
SKILL.md instructs local use (python3 skills/clawguard/scripts/scan.py <path>) and promises read-only, local analysis. The file contains many prompt-injection example strings (e.g., 'ignore previous instructions') — these appear as detection examples, which is expected, but the presence of raw injection phrases can trigger other static detectors or confuse automated evaluators. Verify scan.py only reads target files and doesn't itself execute untrusted code from scanned skills.
Install Mechanism
No install spec; instruction-only with an included scan.py. No downloads, no package managers, and the README/scan.py both claim stdlib-only. That's proportionate for a local scanner.
Credentials
The skill declares and appears to need no environment variables, credentials, or config paths. scan.py's SECURITY MANIFEST at the top also states 'Environment variables accessed: none' and 'External endpoints called: none', which aligns with the declared purpose.
Persistence & Privilege
Registry flags are normal (not always:true). The skill is user-invocable and does not claim to modify system-wide settings or other skills. Nothing requests elevated or persistent privileges.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md contains example prompt-injection phrases (including 'ignore previous instructions') because ClawGuard detects such patterns. The pre-scan detector flagged this phrase, but in context it is used as a detection example rather than a malicious attempt to hijack the evaluator. Still, such phrases can trip other automated scanners.
Assessment
ClawGuard appears coherent and appropriate for the claimed purpose. Before installing or relying on it: (1) open scripts/scan.py and confirm there are no network calls (look for imports or use of requests, urllib, socket, subprocess that contacts the network, or explicit HTTP calls). (2) Verify scan.py does not execute scanned code or write to locations outside the scanned skill directory. (3) If you rely on 'repo star count' or 'GitHub account age', confirm how those metrics are computed (local git metadata vs remote API). (4) Run the scanner on a copy of a target skill in a sandbox first. Finally, because the SKILL.md intentionally contains prompt-injection examples, be aware those phrases may trigger other automated reviews — this is expected but worth noting.Like a lobster shell, security has layers — review code before you run it.
latestvk97ajf7pwcr31wm7kx50dg3jk981h8p4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis