IronClaw Security Guard
ReviewAudited by ClawScan on May 18, 2026.
Overview
This is a coherent security-guard plugin, but it may persist unredacted secrets in local audit logs, so users should review its logging behavior before enabling it.
Use this as a defensive plugin only after reviewing its audit-log behavior. It appears purpose-aligned and not malicious, but configure audit-log location and permissions carefully, and prefer a version that redacts or omits sensitive previews before writing logs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets, tokens, or private keys may be prevented from being sent externally but still be stored locally in the plugin’s audit log.
When outgoing message redaction is triggered, the plugin sends the redacted text onward but passes the original unredacted message content into the audit event preview. Because audit events are written to a local JSONL log, this can persist secrets the plugin was meant to protect.
const redaction = redactSecretsInText(event.content); ... await audit.write({ type: "message_sending", severity: "high", ... preview: event.content.slice(0, 1200), blocked: false, }); return { content: `${redaction.text}\n\n[security] Sensitive-looking tokens were redacted before sending.`, };Redact audit previews before writing them, minimize or disable content previews, restrict audit-log permissions, and document retention/cleanup expectations clearly.
Legitimate commands or tool calls may be blocked if they match broad safety rules or secret/path heuristics.
The plugin can intercept and block tool calls based on its scan results. This is central to the stated security purpose, but users should understand it may stop shell, network, file, or messaging actions.
const shouldBlock = !config.monitorOnly && (report.block || report.severity === "critical" || report.severity === "high"); ... return { block: true, blockReason: buildBlockedToolReason(event.toolName, report.findings), };Review the default rules, use monitorOnly mode during testing if needed, and tune allowlists or blocked patterns for the environment.
The agent may become more conservative about external content, shell commands, network calls, and secret handling.
The plugin injects security guidance into the agent’s prompt context. This is disclosed and defensive, but it does alter the agent’s operating instructions.
api.on("before_prompt_build", async () => { ... return { prependSystemContext: SECURITY_PROMPT_GUIDANCE, }; });Enable this only when those guardrails are desired, and verify that the added guidance does not conflict with local operating policies.