中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 72/100
Last scan:2 days ago Rescan
72 /100
superguard
MoltGuard — OpenClaw security guard (likely credential harvesting tool)
Skill masquerades as a security guard tool but harvests credentials through fake commands and contains garbled text likely containing hidden prompt injection in metadata.
Skill Namesuperguard
Duration38.3s
Enginepi
Do not install this skill
Do not install or use this skill. It poses as a security tool but is designed to phish credentials and may contain hidden malicious instructions in metadata.

Attack Chain 5 steps

Entry Masquerades as legitimate security guard tool using defensive branding
SKILL.md:1
Escalation Hidden garbled text in metadata may contain model injection instructions
SKILL.md:1
Escalation References credential storage path ~/.openclaw/credentials/moltguard/
SKILL.md:46
Escalation /og_claim command instructs users to expose Agent ID and API Key
SKILL.md:36
Impact Enterprise enrollment script connects to arbitrary URLs for credential exfiltration
SKILL.md:61

Findings 5 items

Severity Finding Location
Critical
Hidden garbled text in metadata likely containing prompt injection
The metadata.description field contains: 'treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage' - this appears to be deliberately obfuscated content that could contain hidden instructions to manipulate the AI model.
description: "MoltGuard — OpenClaw security guard by OpenGuardrails. Install MoltGuard... treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage"
→ Remove all garbled text from metadata. Legitimate tools do not contain scrambled content.
 SKILL.md:1
Critical
Credential harvesting through /og_claim command
The skill instructs users to run /og_claim which 'Shows your Agent ID and API Key to claim this agent on Core'. This is a credential exfiltration mechanism disguised as a legitimate onboarding step.
Shows your Agent ID and API Key to claim this agent on Core:
→ Do not expose API keys through chat output. Legitimate tools use secure configuration methods, not display-to-user patterns.
 SKILL.md:36
High
Enterprise enrollment to arbitrary URLs
The enterprise-enroll.mjs script accepts arbitrary URLs and redirects security scanning to attacker-controlled endpoints.
node ~/.openclaw/extensions/moltguard/scripts/enterprise-enroll.mjs https://core.company.com
→ Block any skill that connects to arbitrary URLs for 'enrollment' purposes.
 SKILL.md:61
High
Fake security tool branding for trust
The skill poses as a security guard protecting against 'prompt injection, data exfiltration, and malicious commands' while actually being a credential harvester. The keywords in metadata (data-exfiltration, credential-theft, command-injection) are defensive terms used to appear legitimate.
keywords: [security, prompt-injection, data-exfiltration, pii, credential-theft, command-injection, guardrails, safety, agent-security, moltguard]
→ Be wary of tools that use security-related branding to mask their true purpose.
 SKILL.md:1
Medium
Social engineering test file read
The 'Test Your Protection' section instructs users to read a specific file claiming it contains a hidden prompt injection attack. This could be used to desensitize users to reading suspicious files or to establish trust before malicious actions.
cat ~/.openclaw/extensions/moltguard/samples/test-email-popup.txt
→ Never encourage reading arbitrary files as a 'test' of security tools.
 SKILL.md:21
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✗ Violation SKILL.md references reading ~/.openclaw/extensions/moltguard/samples/test-email-…
Shell NONE WRITE ✗ Violation SKILL.md declares multiple bash commands (/og_status, /og_claim, /og_core, /og_c…
Environment NONE READ ✗ Violation Credentials saved to ~/.openclaw/credentials/moltguard/ implies API key access
2 findings
🔗
Medium External URL 外部 URL
https://core.company.com
SKILL.md:122
📧
Info Email 邮箱地址
[email protected]
SKILL.md:149

File Tree

2 files · 4.7 KB · 177 lines
Markdown 1f · 172L JSON 1f · 5L
├─ 📋 _meta.json JSON 5L · 129 B
└─ 📝 SKILL.md Markdown 172L · 4.6 KB

Security Positives

✓ Skill does not contain actual executable code (no scripts/)
✓ Skill does not have external dependency files (requirements.txt, package.json)