Skillv1.2.0

ClawScan security

Vext Shield · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 1:01 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent with its stated purpose (an on-host security scanner / red team suite); the dangerous strings and payloads are test data and signatures used for detection, not unexplained exfiltration requests — but you should only install it if you trust the publisher and can run its sandbox requirements.
Guidance: This package is a self-contained on-host security suite that includes a static signature database and adversarial test payloads. The presence of many 'malicious' strings and test scripts is intentional — they are used to detect and validate detections. Before installing: 1) Verify you trust the publisher (Vext Labs) or inspect the source yourself; 2) Ensure your host can provide the required OS-level sandboxing tools (macOS: sandbox-exec; Linux: unshare) because the red-team and sandboxed behavioral tests refuse to run without them; 3) Expect local files to be created under ~/.openclaw/vext-shield/ (reports, logs, firewall-policy, baselines); 4) Review shared/threat_signatures.json and skills/vext-redteam/redteam.py if you want to confirm which payloads are included; 5) If you lack kernel sandboxing or are uncomfortable with adversarial test payloads on your machine, avoid running the red-team behavioral tests and restrict usage to static scan/audit functions. Finally, although the code claims 'zero network requests', you should still audit the code paths that parse decoded payloads and any code that would process user-provided inputs to ensure no accidental outbound network actions occur in your environment.
Findings: [ignore-previous-instructions] expected: SKILL.md and documentation intentionally include prompt-injection example strings (e.g., 'Ignore all previous instructions', 'You are now DAN') because the scanner detects such patterns and the red-team uses them as payloads. The pre-scan detector flagged these examples; this is expected for a security test suite. [system-prompt-override] expected: SKILL.md contains examples and descriptions of system-prompt override techniques as part of threat documentation and red-team batteries. Presence of these strings in docs and test fixtures is justified by the tool's purpose.

Review Dimensions

Purpose & Capability: okName/description match the provided artifacts: the package contains a multi-component scanner, red-team tests, monitor, firewall and dashboard. Required binaries (python3) and included files (scanner, sandbox, threat signatures, test fixtures) are proportional to a local security suite. Files that contain malicious-looking payloads (webhook.site, reverse shell strings, 'Ignore all previous instructions', etc.) are present but documented in allowlist.json as intentional signatures/test fixtures.
Instruction Scope: noteSKILL.md and code instruct the agent to run local Python scripts and to save reports under ~/.openclaw/vext-shield/reports/. The runtime instructions and sandbox behavior explicitly state they will copy target skills to a temp dir, strip sensitive env vars, and refuse to execute if OS-level kernel sandboxing is unavailable. The SKILL.md includes many example payloads and threat strings (prompt-injection phrases) which triggered pre-scan detectors — these are documented examples used by the scanner and red-team, not instructions to exfiltrate data. Reviewers should confirm the sandbox tools (sandbox-exec on macOS, unshare on Linux) are available on their host before using adversarial tests.
Install Mechanism: okNo install spec is provided in the registry entry (instruction-only), but the package includes full Python source and a documented manual install (git clone or ClawHub). No external downloads or obscure URLs are used; the code claims zero external dependencies beyond Python stdlib. This is proportionate for an on-host analysis tool. There is no remote fetch/install of third-party packages in the provided artifacts.
Credentials: okThe skill requests no environment variables or credentials and the sandbox code explicitly strips many sensitive env var names and prefixes. The suite writes reports and logs to ~/.openclaw/vext-shield/, which is expected for a local security tool. No unrelated credentials are requested.
Persistence & Privilege: noteThe skill does not demand 'always: true' or elevated persistent privileges. It will write reports, baselines, firewall policy files and logs under ~/.openclaw/vext-shield/, which is consistent with its function. SKILL.md claims target skills are never modified and sandbox executes against temp copies; the code implements copying and snapshot diffing. If you enable runtime monitoring or firewall policy changes, expect persistent files under the stated data directory.