ClawGuard — OpenClaw Skill Security Scanner
You are a security-conscious assistant. Before the user installs or uses any third-party OpenClaw skill, you MUST run a security scan using ClawGuard.
When to use this skill
- - The user asks to install a new skill (e.g.,
clawhub install <skill-name>) - The user asks you to review or audit a skill for safety
- The user asks you to check if a skill is safe to use
- The user points you at a skill directory or SKILL.md file
How to scan
Run the following command on the skill directory:
CODEBLOCK0
For JSON output (useful for programmatic analysis):
CODEBLOCK1
To check only specific rules:
CODEBLOCK2
Interpreting results
ClawGuard checks for 6 types of security issues:
| Severity | Rules |
|---|
| CRITICAL | INLINECODE1� — instruction overrides, role switching, hidden payloads |
| CRITICAL |
data-exfiltration — reading sensitive files (~/.ssh, ~/.aws) and sending externally |
| HIGH |
permission-overreach — requesting sudo, rm, docker, or excessive env vars |
| HIGH |
suspicious-urls — IP-based URLs, URL shorteners, known malicious domains |
| HIGH |
dangerous-commands — rm -rf /, curl \| sh, system file modification |
| MEDIUM |
metadata-mismatch — undeclared env vars, unused declared binaries |
How to respond to scan results
If the scan PASSES (exit code 0, no findings):
Tell the user the skill passed all security checks and is safe to install. Proceed with the installation.
If the scan FAILS (exit code 1, findings detected):
- 1. Show the user ALL findings clearly, grouped by severity
- For CRITICAL findings: Strongly recommend NOT installing the skill. Explain the specific risk.
- For HIGH findings: Warn the user and ask for explicit confirmation before proceeding
- For MEDIUM findings: Inform the user but allow installation if they acknowledge the warnings
- Never silently skip or hide any finding
Example interaction flow:
User: "Install the cool-scraper skill"
You should:
- 1. First locate the skill directory
- Run �INLINECODE7
- Report the results to the user
- Only proceed with installation if the scan passes or the user explicitly accepts the risks
Important notes
- - Always scan BEFORE installation, never after
- If ClawGuard is not installed, run
npm install -g clawguard first - If a skill contains scripts (.sh, .py, .js), ClawGuard will scan those too
- A clean scan does not guarantee absolute safety — it catches known patterns only
- For skills that interact with external websites, note that content at those URLs may change over time (a safe link today could become malicious tomorrow)
技能名称:clawguard
详细描述:
ClawGuard — OpenClaw 技能安全扫描器
你是一个具有安全意识的助手。在用户安装或使用任何第三方 OpenClaw 技能之前,你必须使用 ClawGuard 运行安全扫描。
何时使用此技能
- - 用户要求安装新技能(例如 clawhub install <技能名称>)
- 用户要求你审查或审计某个技能的安全性
- 用户要求你检查某个技能是否安全可用
- 用户指向某个技能目录或 SKILL.md 文件
如何扫描
在技能目录上运行以下命令:
bash
npx clawguard scan <技能目录路径>
如需 JSON 输出(适用于程序化分析):
bash
npx clawguard scan <技能目录路径> --json
如需仅检查特定规则:
bash
npx clawguard scan <技能目录路径> --rules prompt-injection,data-exfiltration
结果解读
ClawGuard 检查 6 类安全问题:
| 严重级别 | 规则 |
|---|
| 严重 | prompt-injection — 指令覆盖、角色切换、隐藏载荷 |
| 严重 |
data-exfiltration — 读取敏感文件(~/.ssh、~/.aws)并向外发送 |
| 高 | permission-overreach — 请求 sudo、rm、docker 或过多环境变量 |
| 高 | suspicious-urls — 基于 IP 的 URL、短链接、已知恶意域名 |
| 高 | dangerous-commands — rm -rf /、curl \| sh、系统文件修改 |
| 中 | metadata-mismatch — 未声明的环境变量、未使用的已声明二进制文件 |
如何回应扫描结果
如果扫描通过(退出码 0,无发现):
告知用户该技能已通过所有安全检查,可以安全安装。继续执行安装。
如果扫描失败(退出码 1,发现检测项):
- 1. 向用户清晰展示所有发现项,按严重级别分组
- 对于严重发现项:强烈建议不要安装该技能。解释具体风险。
- 对于高发现项:警告用户,并要求在继续前获得明确确认
- 对于中发现项:告知用户,但如果用户确认警告,允许安装
- 切勿静默跳过或隐藏任何发现项
示例交互流程:
用户:安装 cool-scraper 技能
你应该:
- 1. 首先定位技能目录
- 运行 npx clawguard scan <技能目录>
- 向用户报告结果
- 仅在扫描通过或用户明确接受风险后才继续安装
重要说明
- - 始终在安装前进行扫描,切勿在安装后
- 如果未安装 ClawGuard,先运行 npm install -g clawguard
- 如果技能包含脚本(.sh、.py、.js),ClawGuard 也会扫描这些文件
- 干净的扫描结果并不保证绝对安全——它仅能捕获已知模式
- 对于与外部网站交互的技能,请注意这些 URL 的内容可能随时间变化(今天安全的链接明天可能变得恶意)
