Skillv0.1.1

ClawScan security

ZugaShield Security Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 9:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and runtime behavior mostly match a networked Python-based scanner, but inconsistencies in source metadata, prompt-injection signatures found in the SKILL.md, and reliance on an external pip package (runtime code run as a child process) make this worth caution and further verification.
Guidance: This package is plausible as a gateway scanner, but take these precautions before installing/activating it: 1) Verify the upstream packages: confirm the npm package and PyPI package authors and the GitHub repository (the plugin contains multiple repository/homepage strings — reconcile them). 2) Inspect the Python package 'zugashield' (zugashield_mcp): examine its code on PyPI or the repository before running pip install; a third-party Python package will run code on your host. 3) Check SKILL.md / README for the prompt-injection phrases flagged by the scanner and review any suspicious lines. 4) Don't set sensitive env vars into the process; the plugin tries to whitelist env vars but allows ZUGASHIELD_* feed URLs — ensure those point to trusted, signed feeds, and enable signature verification if available. 5) Test in an isolated/sandboxed OpenClaw instance first (non-production) to verify behavior and network interactions (outbound connections, feed pulls). 6) Prefer packages from an audited source or a repository you control; if you can't validate the Python package or feed origin, treat this as untrusted code. If you want, I can list the exact repo/homepage strings found and point out where they differ, or help you inspect the zugashield_mcp package source if you provide its PyPI link or code.
Findings: [prompt-injection:ignore-previous-instructions] unexpected: A prompt-injection pattern was detected inside SKILL.md. A documentation file for a scanner should not contain LLM-targeting injection phrases; this is unexpected and worth manual review of the SKILL.md / README text for embedded manipulative instructions. [prompt-injection:you-are-now] unexpected: Another LLM-instruction-style pattern was found in the SKILL.md. This is not required by a security scanner and could be an attempt to manipulate an LLM that reads these docs; review the doc contents and the repository history.

Review Dimensions

Purpose & Capability: okThe name/description (an OpenClaw gateway scanner) align with what the plugin implements: it registers gateway hooks, requires Python to run a zugashield_mcp server, and exposes commands to show status/report. Permission for subprocess is declared and needed to spawn the MCP process.
Instruction Scope: noteSKILL.md instructs installation via pip/npm and to spawn a resident Python MCP server that inspects inputs, outputs, tool calls, and memories — all consistent with the stated purpose. However the SKILL.md was flagged by a prompt-injection detector (patterns like 'ignore-previous-instructions' and 'you-are-now'), which is unexpected for a scanner manifest and may indicate attempted LLM-targeted manipulation in documentation/instructions. The runtime hooks do scan/forward content to the MCP server; they do not, in the JS surface code, read unrelated host secrets.
Install Mechanism: concernThere is no packaged install spec inside the plugin bundle; the SKILL.md recommends 'pip install "zugashield[mcp]"' and 'npm install zugashield-openclaw-plugin'. Running pip to fetch zugashield at runtime means execution of third-party Python code on the host. That is a standard distribution method but is a moderate risk because the Python package is an external artifact you must trust. The npm content provided in the bundle looks normal; no direct downloads from shorteners/personal IPs were found.
Credentials: noteThe plugin declares no required env vars and restricts child-process env to an allowlist, which reduces secret leakage risk. However the child env allowlist includes ZUGASHIELD_FEED_URL / FEED_ENABLED / FEED_STATE_DIR and other ZUGASHIELD_* variables — these imply the engine may be configurable to contact external feeds (update/signature feeds). Those are plausible for a scanner but mean a misconfigured or malicious feed URL could direct the Python process to fetch remote content. No unrelated cloud credentials are requested by the plugin.
Persistence & Privilege: okalways:false and user-invocable are appropriate. The plugin registers as a service and adds required hooks (high priority/critical) — appropriate for a security filter. It does not request permanent global privileges beyond hooking into the gateway as intended.