中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
openclaw-security-guard
Lightweight security guard for auditing prompts, commands, URLs, paths, and skill folders before publishing or automation
OpenClaw Security Guard is a legitimate, well-documented security auditing tool that uses regex-based pattern matching to detect dangerous shell commands, secrets, prompt injection, SSRF, and path traversal risks. No malicious behavior detected.
Skill Nameopenclaw-security-guard
Duration37.0s
Enginepi
Safe to install
This skill is safe to use. The IOCs flagged (curl|bash, wget|sh patterns in checklist.md) are intentional detection rules, not actual dangerous execution. Continue using for security audits.

Findings 2 items

Severity Finding Location
Info
IOC References in Checklist Doc Mismatch
The checklist.md references dangerous shell patterns (curl|bash, wget|sh) on lines 14-15. These are intentionally documented as patterns to DETECT and block, not as actual execution. This is expected behavior for a security auditing tool.
- `curl ... | bash`
- `wget ... | sh`
→ No action needed - this is intentional documentation of dangerous patterns to detect.
 references/checklist.md:14
Info
Hardcoded Obsidian Vault Path Sensitive Access
write-obsidian-audit.mjs has a hardcoded path /Users/m1/Desktop/obsidianvault/ClawLite for writing audit reports. This is user-specific configuration, not data exfiltration.
const vaultDir = '/Users/m1/Desktop/obsidianvault/ClawLite';
→ Consider making vault path configurable via environment variable or argument for portability.
 scripts/write-obsidian-audit.mjs:10
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned audit-skill-dir.mjs:25 reads target skill files for scanning
Shell READ READ ✓ Aligned prepublish-guard.mjs:22 spawnSync runs audit script
Network NONE NONE No network requests made
Environment NONE NONE Does not read or exfiltrate env vars
2 Critical 2 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl ... | bash
references/checklist.md:14
💀
Critical Dangerous Command 危险 Shell 命令
wget ... | sh
references/checklist.md:15

File Tree

8 files · 12.0 KB · 302 lines
JavaScript 4f · 153L Markdown 2f · 121L Shell 1f · 16L JSON 1f · 12L
├─ 📁 references
│ └─ 📝 checklist.md Markdown 30L · 1.0 KB
├─ 📁 scripts
│ ├─ 📜 audit-skill-dir.mjs JavaScript 53L · 2.3 KB
│ ├─ 🔧 install-hooks.sh Shell 16L · 493 B
│ ├─ 📜 prepublish-guard.mjs JavaScript 24L · 1.1 KB
│ ├─ 📜 security-check.mjs JavaScript 47L · 2.4 KB
│ └─ 📜 write-obsidian-audit.mjs JavaScript 29L · 1.0 KB
├─ 📋 package.json JSON 12L · 717 B
└─ 📝 SKILL.md Markdown 91L · 3.0 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
Node.js standard library only N/A Built-in No No external npm dependencies required

Security Positives

✓ Comprehensive security detection rules for prompt injection, command injection, SSRF, and path traversal
✓ Well-documented SKILL.md with clear capability declarations
✓ Uses only standard Node.js libraries (fs, path, child_process) - no external dependencies with known vulnerabilities
✓ Proper ALLOW/WARN/BLOCK verdict system with actionable guidance
✓ Scans for hardcoded secrets, dangerous shell patterns, and sensitive file access
✓ No actual malicious behavior observed - all pattern matching is for detection purposes
✓ Clean, focused security tool with no obfuscation or suspicious code