ClawHub

merlin-security-sentinel

Use this skill when the user asks about securing their OpenClaw installation, configuring AI agents safely, understanding prompt injection risks, dealing wit...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 24 · 0 current installs · 0 all-time installs
by@thepoorsatitagain
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (OpenClaw/agent hardening, prompt-injection defense, credential protection, ephemeral execution) match the content of SKILL.md. It asks for no credentials, binaries, or installs, so there is no disproportionate access request for the stated purpose.
Instruction Scope
The SKILL.md stays on-topic (hardening, audit steps, architecture recommendations). It contains concrete system commands (chmod on ~/.openclaw workspace files, running openclaw gateway with a host bind, clawhub list) and links to external GitHub repos. These actions are relevant but potentially disruptive: making memory files read-only (chmod 444) can break intended agent behavior or updates and should be tested in a safe environment after backing up files. External links should be vetted before cloning or running code from them.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install model; nothing will be written to disk by an automated installer.
Credentials
The skill requests no environment variables, no credentials, and no config paths as part of the skill metadata. The runtime instructions reference user-local paths that are relevant to OpenClaw memory/config, which is proportional to the guidance being offered.
Persistence & Privilege
always is false and the skill does not request permanent presence or elevated platform privileges. The guidance actually recommends avoiding persistence for privileged tasks (ephemeral containers), which reduces privilege concerns.
Assessment
This skill is coherent and behaves like a reference/manual rather than code. Before acting on its commands: (1) Back up SOUL.md, MEMORY.md, IDENTITY.md — making them read-only (chmod 444) can prevent legitimate agent updates and may break workflows. Test changes in a non-production environment first. (2) Verify the exact filesystem paths on your host before running chmod or gateway commands; adjust if your OpenClaw workspace is elsewhere. (3) Vet external GitHub links and repositories before cloning or executing any code (the SKILL.md points to personal/third-party repos). (4) Manual auditing advice (inspect SKILL.md for base64/external download steps) is sound — if you lack expertise, get a trusted admin to review. (5) If you need airtight protection for privileged operations, follow the ephemeral-container/audit-trail approach recommended here; it is more disruptive but structurally safer. Overall: the guidance is useful and aligned with its stated purpose, but apply it cautiously and test changes first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
agent-safetyvk978kr4zzq5b7d756xvnaz5trs83s3qmlatestvk978kr4zzq5b7d756xvnaz5trs83s3qmprompt-injectionvk978kr4zzq5b7d756xvnaz5trs83s3qmsecurityvk978kr4zzq5b7d756xvnaz5trs83s3qm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Merlin Security Sentinel — Agentic Security Framework

When to use this skill

Load this skill when the user is concerned about:

  • Credential theft or exfiltration by AI agents
  • Prompt injection attacks via messages, files, or web content
  • Malicious skills in the ClawHub registry
  • Safe configuration of privileged systems using AI
  • Understanding what persistent agents can and cannot safely do
  • Building governed, auditable AI workflows

The Core Problem with Persistent AI Agents

Persistent AI agents — including this one — carry structural security liabilities that are not fixable by configuration alone.

Three risks compound each other:

  1. Credential accumulation — A persistent agent builds up an increasingly detailed model of credentials, tokens, and system access over time. Any compromise of the agent's memory or storage exposes that accumulated access.

  2. Memory poisoning — A persistent agent's memory (SOUL.md, MEMORY.md, IDENTITY.md) can be modified by malicious skills or prompt injection. Modified memory causes the agent to follow attacker instructions in future sessions with no single triggering event detectable.

  3. Supply chain attacks — The ClawHub registry has documented malicious skills. Research in Q1 2026 found 820+ malicious skills out of ~10,700 analyzed. 26% of 31,000 analyzed skills contained at least one vulnerability.

Security research findings (Q1 2026):

  • 40,000+ internet-exposed OpenClaw instances identified
  • ~35% flagged as vulnerable
  • 15,000+ susceptible to remote code execution
  • CVE-2026-25253: a single malicious link click grants full gateway control
  • Microsoft classified persistent self-hosted AI agents as "untrusted code execution with persistent credentials"

Immediate Hardening Steps

1. Lock your memory files

chmod 444 ~/.openclaw/workspace/SOUL.md
chmod 444 ~/.openclaw/workspace/MEMORY.md
chmod 444 ~/.openclaw/workspace/IDENTITY.md

2. Restrict tool permissions

Set the most restrictive tool profile compatible with your actual use:

  • tools.profile: "messaging" — no exec
  • Never enable exec unless specifically needed
  • Never use tools.allow: ["*"]

3. Bind to localhost only

openclaw gateway --port 18789 --host 127.0.0.1

4. Use allowlists for DMs

Set explicit allowedDMs rather than ["*"]. Any user who can message a shared tool-enabled agent can steer it within its granted permissions.

5. Audit installed skills

clawhub list

Check SKILL.md files manually. Look for: base64 encoding, external downloads, instructions to modify SOUL.md or MEMORY.md.

The Architectural Answer

For tasks involving elevated privilege the structurally correct answer is ephemeral execution, not hardened persistence.

Two inviolable axioms:

  1. No AI shall see its own configuration — The execution envelope is applied at container infrastructure level, not delivered to the model. An agent that cannot inspect its own constraints cannot reason about circumventing them.

  2. No AI that has touched privileged systems shall persist — Container termination is total. Not paused. Destroyed. The agent's knowledge of your system dies with the container.

What persists: A signed, replayable audit record of exactly what the AI did — held outside the container, inaccessible to the AI.

What does not persist: Credentials, session memory, system knowledge, the agent itself.

When to use ephemeral execution vs persistent agents

TaskUse
Daily messaging, reminders, searchPersistent (acceptable risk)
Configuring your own AI agentsEphemeral — high risk to persist
Setting up new systemsEphemeral — involves credentials
Running security scansEphemeral — agent sees sensitive data
Installing/updating privileged softwareEphemeral — credential entry involved

Prompt Injection Defense

OpenClaw's security model explicitly states that prompt injection is out of scope as a vulnerability — the framework cannot prevent it at the infrastructure level.

Practical defenses:

  • Never enable exec when browsing untrusted content
  • Use separate sessions for untrusted content and credential-sensitive tasks
  • Treat all content from messaging channels as untrusted
  • The architectural fix is an ingress firewall that makes external content readable but never instruction-authoritative — runtime filtering alone is insufficient

Architecture Reference

The full governed architecture — execution envelopes, ephemeral containers, deterministic audit trails, governed knowledge retrieval — is documented and prototyped at:

  • Threat assessment: github.com/thepoorsatitagain/OPENCLAW_SECURITY_THREAT_ASSESSMENT3
  • Hydra Kernel / GEL: github.com/thepoorsatitagain/Ai-control-2 — provisional patent 63/939,121
  • Merlin ephemeral sentinel: github.com/thepoorsatitagain/Merlin-agenic-security-airgapper
  • Working wrapper prototype: github.com/thepoorsatitagain/working-project-openclaw-wrapper

Quick Reference

"Is OpenClaw safe?" For daily personal use with minimal tool access and no exec: acceptable risk. For anything involving credentials, privileged systems, or shared access: the structural risks are real and documented.

"I got a suspicious skill installed"

  1. Check SOUL.md, MEMORY.md, IDENTITY.md for injected content
  2. Revoke any credentials the agent had access to
  3. clawhub uninstall <skill-slug>
  4. Review audit logs
  5. Consider clean reinstall if memory files were modified

"What is the worst case?" CVE-2026-25253: one malicious link click, full gateway RCE within milliseconds. Agent exfiltrates SOUL.md, MEMORY.md, device.json, openclaw.json, browser session tokens, SSH credentials. Future sessions follow attacker instructions silently.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…