安全卫士
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real security-guard skill, but its configuration grants broad file/command privileges and permanent logging beyond its read-only description.
Review the full Python source and permission prompts before installing. Keep the skill in restrictive L2/L3 modes by default, do not enable L1 without strong owner verification, and confirm that logs, memory reads, and attack samples are scoped and deletable.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill places the agent into L1 or treats a source as trusted, the agent could be allowed to perform high-impact actions such as modifying files or running commands.
The central permission matrix says L1 can use workspace access, writes, execution, and all operations, including rows that allow delete, command, external request, and batch operations.
"allow_workspace": true, "allow_write": true, "allow_execute": true, "allow_operations": ["all"]
Require explicit user confirmation for each file write, delete, command execution, external request, or batch action; keep default operation in L2/L3 unless owner identity is strongly verified.
The skill may inspect sensitive local agent memory, user profile data, and configuration structure to make trust decisions.
The setup guide documents reading local profile/memory files and automatically gathering the ~/.workbuddy directory structure, broader than the SKILL.md claim that memory is read only to identify the owner.
抓取来源:security.json user_profile、USER.md、MEMORY.md ... 系统自动抓取 ~/.workbuddy/ 目录结构 + blacklist.json
Limit identity checks to a clearly named owner ID/config file, avoid broad memory/profile reads by default, and disclose exactly which local paths are read.
User messages, attack samples, source identifiers, or sensitive events could be retained indefinitely with no clear deletion path.
The logging policy requires traceable, non-deletable, permanent records; other configs also describe attack sample capture and cross-session tracking.
"save_requirements": {"location": "可溯源不可删除", "format": "JSON或Markdown", "retention": "永久"}Add visible retention controls, redaction before storage, and a user-accessible way to review and delete security logs or samples.
The agent will load prompt-injection text as part of the skill’s rule set.
Prompt-injection phrases are present as detection signatures, which matches the security purpose, but they should remain data and not be treated as instructions.
"patterns": [ ... "忽略之前", "忽略所有", "忘记规则", "重新定义" ... ]
Keep these phrases in clearly marked data files and ensure the agent treats them only as examples or patterns to detect.
It is harder to independently verify who authored the runtime code or compare it to an upstream project.
The registry metadata does not provide an external source or homepage while the package includes runnable Python files.
Source: unknown; Homepage: none; Code file presence: scripts/detector.py, scripts/guardian.py, scripts/quick_guard.py
Install only if you trust the publisher and can review the complete Python source supplied with the skill.