Tork Guardian
v1.0.2AI governance and safety layer for OpenClaw agents. Protects against unsafe actions, redacts sensitive data, and generates compliance audit trails.
⭐ 2· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a governance/safety layer and the code implements PII redaction, network governance, and a scanner that reports to a Tork cloud API — those capabilities match the description. However the registry metadata (Requirements section) claims no required env vars or credentials, while package.json, SKILL.md examples, and src code clearly require an API key (TORK_API_KEY) and network access to https://tork.network and GitHub APIs. That mismatch is an incoherence: a governance SDK legitimately needs the API key and network access, but the skill manifest did not declare them.
Instruction Scope
SKILL.md and README explicitly instruct usage that will (a) call out to a remote Tork API for governance/redaction, (b) run a local scanner which writes temp files when scanning provided source, and (c) provide examples that use process.env.TORK_API_KEY. The runtime instructions are generally scoped to the stated purpose (govern requests, network validation, scanning). However pre-scan detection flagged prompt-injection patterns in the SKILL.md (e.g. 'ignore-previous-instructions', 'you-are-now') which could indicate attempts to manipulate an agent's instruction-following; this should be validated manually (could be false positive or leftover example text).
Install Mechanism
No download-from-URL install is specified in the registry; the SKILL.md shows 'npm install @torknetwork/guardian' which is a normal package install. The included package.json and dist/ files mean code would be installed from npm (or from the registry bundle). There are no inline install scripts that fetch arbitrary remote archives in the provided files. The scanner writes temporary files when scanning a repo, which is expected for a scanner.
Credentials
The code and examples require an API key (TORK_API_KEY) and the package declares network permissions to talk to tork.network and api.github.com. Those credentials/network permissions are proportionate to a cloud-backed governance service and GitHub scanning. The problem is the registry-level Requirements reported to the evaluator show 'none' — an omission that could lead users to install without realizing the skill will need (and use) an API key and outbound network access. Also note the library will send threat reports and content to the Tork API (reportThreat uses client.govern with threat details), so anything included in those strings (skill id, details) may be transmitted to the cloud.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide agent settings in the provided code. It performs temporary file writes only during scanning and otherwise operates in-process. Autonomous invocation is allowed (platform default) but not combined with any 'always' or other elevated privilege in this package.
Scan Findings in Context
[prompt-injection-ignore-previous-instructions] unexpected: The pre-scan flagged the string 'ignore-previous-instructions' in SKILL.md. A governance SDK should not need to include prompt-injection phrases in its runtime instructions; this could be leftover/example text or an attempt to manipulate agent instruction-following. Verify SKILL.md content manually.
[prompt-injection-you-are-now] unexpected: The pre-scan flagged the string 'you-are-now' in SKILL.md. As above, these prompt-like phrases are unexpected for a library README and should be examined to rule out embedded instruction-manipulation content.
What to consider before installing
What to check before installing:
1) Provenance: this registry listing shows 'source: unknown' and advertised Requirements = none, but the package files (package.json, README, SKILL.md, src/) clearly expect a TORK_API_KEY and network access to tork.network and GitHub. Confirm you are installing the official package (check the npm package owner, GitHub repo, and package signatures) and that the homepage (https://tork.network) is legitimate.
2) API key scope & trust: the SDK will send content and threat reports to the remote Tork API. Decide whether you trust that endpoint with redacted or raw content. Inspect how the client constructs requests (src/client.ts). Consider using a limited-scope API key and review privacy/retention policies for tork.network.
3) Manifest mismatch: ask why the registry metadata omitted required env/network declarations. Installers relying on the registry may not prompt for network/env permissions; that omission is an incoherence you should resolve.
4) Prompt-injection strings: SKILL.md triggered prompt-injection pattern matches. Open the SKILL.md and README and manually search for any embedded instruction-like payloads; if present, ask the publisher to remove them or explain why they're harmless (example text vs. malicious injection).
5) Run the scanner locally first: if you want extra confidence, download the package source, run a local audit and the included tork-scan CLI in a controlled environment (the package's scanner writes temp files and cleans them up). Review network calls (axios usage) to see exactly what is sent.
6) Least privilege: if you enable this skill in production, use a configuration (e.g., strict policy, allowlist) that limits outbound domains and ports, and minimize logging of sensitive data. Because the client has a 'fail-open' behavior when the Tork API is unreachable, be aware that governance may be bypassed temporarily; decide whether that behavior matches your security posture.
If you cannot verify the package owner or the SKILL.md prompt artifacts, treat the package as untrusted until provenance and the manifest omissions are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97brw4s59a5q6r76hzyv9m9e980zj06
License
MIT-0
Free to use, modify, and redistribute. No attribution required.