Skillv6.8.20

ClawScan security

flaw0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are broadly consistent with a security‑guard plugin, but it is instruction‑only (no code to inspect) and omits important operational details (what gets sent to the remote Core service, undeclared runtime dependencies), so proceed cautiously and review the actual plugin before installing.
Guidance: Key things to consider before installing: - This listing is instruction‑only and contains no plugin code — installing will fetch @openguardrails/moltguard from your OpenClaw plugin registry; review that plugin's source (e.g., the GitHub repo) before installing. - The plugin will store an API key locally (~/.openclaw/credentials/moltguard/) and uses a remote 'Core' service for detections. Confirm what data is sent to Core, retention policy, encryption, and jurisdiction/privacy implications. - The SKILL.md references running node and other commands but does not declare them; ensure your environment has expected runtimes and inspect any scripts the plugin installs (especially enterprise-enroll.mjs, enterprise-unenroll.mjs, uninstall.mjs) before executing. - If you want tighter control, test in an isolated agent or sandbox, create a limited‑scope API key if possible, and verify the plugin's update and uninstall behavior. - If you want more confidence, provide the actual plugin package or a link to the exact release artifact for a deeper review; that would raise confidence from medium to high.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a prompt‑injection/data‑exfiltration guard and instructs installing an OpenClaw plugin (@openguardrails/moltguard). That is coherent with the stated purpose. Minor inconsistency: the skill declares no required binaries but the instructions reference commands (openclaw, node, openclaw gateway restart, cat) that must be available to install/run the plugin.
Instruction Scope: concernThe instructions tell the agent/human to install a plugin which will place files under ~/.openclaw/extensions/moltguard/ and save API keys under ~/.openclaw/credentials/moltguard/. The doc states that all detection is performed by a remote 'Core' service and includes steps to enroll an enterprise Core (node scripts sending a URL). The SKILL.md does not detail what data is sent to Core, how it's protected, or consent boundaries — meaning user content could be transmitted to an external service without explicit limits. It also instructs the agent to read a local sample file (expected) but otherwise grants broad discretion to use the plugin's commands and scripts.
Install Mechanism: noteThis is an instruction‑only skill with no install spec or code files; it instructs the user to run 'openclaw plugins install @openguardrails/moltguard'. That implies code will be fetched from the OpenClaw plugin registry. Because the skill bundle does not include the plugin code, the actual install will pull code not present here — we cannot inspect it. This is not inherently malicious but reduces visibility.
Credentials: noteThe skill itself requests no environment variables, which is reasonable for an instruction-only guide. However, the plugin it instructs to install will ask for and store an API key in ~/.openclaw/credentials/moltguard/, and the SKILL.md shows commands that can display that API key (/og_status). Storing and transmitting an API key is expected for a guarded external service, but the manual does not explain scope/permissions of that key or what user data will be forwarded to Core.
Persistence & Privilege: okalways is false and the skill does not request forced presence. The instructions describe storing plugin files and credentials under the user's OpenClaw directories and provide an uninstall script. Those behaviors are consistent with a normal plugin's persistence model and do not, by themselves, indicate elevated or cross‑skill privileges.