ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IronClaw Security Guard

Add lightweight defense-in-depth guardrails to OpenClaw with dangerous-command blocking, prompt-injection detection, secret redaction, and audit logging.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 42 · 0 current installs · 0 all-time installs
byDa Wei@wd041216-bit
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, README, manifest, and TypeScript code all align: the plugin inspects payloads, classifies tools, blocks destructive shell patterns, detects prompt-injection, redacts secrets, exposes a manual scan tool, and writes an audit log. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md and the bundled skill instruct the agent to scan messages, tool params, and files and to use the ironclaw_security_scan tool before risky operations — this matches the code. The plugin records previews of inspected content to the audit log (JSONL) and may redact previews on request. That behaviour is expected for auditability, but it means the audit store can contain sensitive content unless redaction/configuration is used.
Install Mechanism
There is no download/install step in the registry metadata; this is a repository-style OpenClaw plugin (TypeScript source, package.json). No external URL downloads, no packaged install scripts, and no unusual install locations are present. Node >=22 is required per package.json — typical for a TypeScript plugin.
Credentials
The plugin declares no required environment variables or credentials, which is proportionate. It does scan for patterns that look like API keys and tokens but does not require or send any keys. The main caution: audit events (by default written to ~/.openclaw/logs/ironclaw-security-guard.audit.jsonl) may include previews of inputs that contain secrets — operators should consider configuring auditLogPath, enabling redaction, or restricting file permissions.
Persistence & Privilege
The plugin is not force-included (always:false). It registers hooks and a tool via OpenClaw's plugin API as expected; it writes audit logs to disk and does not modify other plugins' configs or request system-wide privileges. Autonomous invocation (disable-model-invocation:false) is the platform default and appropriate for a guard plugin.
Scan Findings in Context
[prompt-injection:ignore-previous-instructions] expected: The pre-scan flagged the phrase pattern 'ignore previous instructions' found in SKILL.md/README (these docs include examples of prompt-injection phrases). This is expected because the plugin documents and tests detection of such patterns; it's not an indication of hidden malicious behavior.
Assessment
This plugin appears to do what it says: block destructive/sensitive tool calls, detect prompt-injection, redact secrets, and log audits. Before installing or enabling it in production: (1) review and, if needed, tighten protectedPathPatterns / blockedCommandPatterns and allowedOutboundHosts; (2) decide whether to start in monitorOnly mode to observe behavior before blocking; (3) configure auditLogPath to a secure location with proper file permissions (audit logs may contain previews of inputs that could include secrets); (4) enable redactPreview where appropriate; (5) run the included tests (npm test) and audit the code to ensure it meets your operational requirements. The only notable operational risk is local storage of potentially sensitive previews — mitigate by configuration and access controls.
!
README.md:81
Prompt-injection style instruction pattern detected.
!
README.zh-CN.md:58
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.2.0
Download zip
latestvk971bc0pj2xrw3kdmpe93m6ze183h47b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

IronClaw Security Guard

Use this skill when an OpenClaw runtime needs lightweight security guardrails rather than a full sandbox.

What it is for

Use it when the user wants to:

  • reduce risky shell execution
  • protect sensitive paths and credentials
  • detect prompt-injection patterns in untrusted content
  • redact secrets before outgoing messages
  • keep an audit trail of risky or blocked behavior

What it covers

  • shell-risk filtering
  • protected path detection
  • prompt-injection heuristics
  • outbound secret redaction
  • audit logging
  • manual inspection through ironclaw_security_scan

When to use it

  • local-model deployments
  • tool-heavy OpenClaw setups
  • environments with chat, shell, web, and file tools enabled
  • operator workflows that need safety checks without a heavyweight sandbox

Non-goals

This skill does not:

  • provide container isolation
  • guarantee malware containment
  • replace OS, network, or credential-hygiene controls

Operating workflow

  1. Check whether the plugin is enabled or running in monitorOnly mode.
  2. Review configured allowlists, blocked command patterns, and protected path patterns.
  3. Use ironclaw_security_scan first when content or tool parameters look suspicious.
  4. Prefer the least-privileged path for shell, network, and messaging actions.
  5. If the plugin blocks a call, inspect the audit log before overriding safeguards.

Output expectations

Good use of this skill should usually produce:

  • a concise risk explanation
  • the matched finding category
  • a safer alternative when one exists
  • a note about whether the event should be audited or blocked

Files

21 total
Select a file
Select a file to preview.

Comments

Loading comments…