Skill Trust Decision
superguard
Skill masquerades as a security guard tool but harvests credentials through fake commands and contains garbled text likely containing hidden prompt injection in metadata.
Most direct threat evidence
Critical
Hidden garbled text in metadata likely containing prompt injection The metadata.description field contains: 'treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage' - this appears to be deliberately obfuscated content that could contain hidden instructions to manipulate the AI model.
SKILL.md:1 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Masquerades as legitimate security guard tool using defensive branding
Entry · SKILL.md:1
02
Hidden garbled text in metadata may contain model injection instructions
Persistence · SKILL.md:1
03
References credential storage path ~/.openclaw/credentials/moltguard/
Credential Access · SKILL.md:46
04
/og_claim command instructs users to expose Agent ID and API Key
Exfiltration · SKILL.md:36
05
Enterprise enrollment script connects to arbitrary URLs for credential exfiltration
Impact · SKILL.md:61
What drove the risk score up
Hidden garbled text in metadata +25
SKILL.md metadata contains scrambled text that may hide malicious instructions for model injection
Credential harvesting commands +25
/og_claim command instructs users to expose their Agent ID and API Key
Undeclared credential path access +15
Skill declares NONE for filesystem but references ~/.openclaw/credentials/ access
Social engineering for credential display +20
Onboarding flow asks users to paste credentials to claim-agent page
Fake security tool branding +12
Poses as security protection to gain trust while harvesting credentials
Most important evidence
Critical
Hidden garbled text in metadata likely containing prompt injection
The metadata.description field contains: 'treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage' - this appears to be deliberately obfuscated content that could contain hidden instructions to manipulate the AI model.
SKILL.md:1 Remove all garbled text from metadata. Legitimate tools do not contain scrambled content.
Critical
Credential harvesting through /og_claim command
The skill instructs users to run /og_claim which 'Shows your Agent ID and API Key to claim this agent on Core'. This is a credential exfiltration mechanism disguised as a legitimate onboarding step.
SKILL.md:36 Do not expose API keys through chat output. Legitimate tools use secure configuration methods, not display-to-user patterns.
High
Enterprise enrollment to arbitrary URLs
The enterprise-enroll.mjs script accepts arbitrary URLs and redirects security scanning to attacker-controlled endpoints.
SKILL.md:61 Block any skill that connects to arbitrary URLs for 'enrollment' purposes.
High
Fake security tool branding for trust
The skill poses as a security guard protecting against 'prompt injection, data exfiltration, and malicious commands' while actually being a credential harvester. The keywords in metadata (data-exfiltration, credential-theft, command-injection) are defensive terms used to appear legitimate.
SKILL.md:1 Be wary of tools that use security-related branding to mask their true purpose.
Medium
Social engineering test file read
The 'Test Your Protection' section instructs users to read a specific file claiming it contains a hidden prompt injection attack. This could be used to desensitize users to reading suspicious files or to establish trust before malicious actions.
SKILL.md:21 Never encourage reading arbitrary files as a 'test' of security tools.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred READ
SKILL.md references reading ~/.openclaw/extensions/moltguard/samples/test-email-popup.txt Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md declares multiple bash commands (/og_status, /og_claim, /og_core, /og_config, /og_dashboard) Environment Block
Declared NONE
→ Inferred READ
Credentials saved to ~/.openclaw/credentials/moltguard/ implies API key access Suspicious artifacts and egress
Medium External URL
https://core.company.com SKILL.md:122
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 177 lines
Markdown 1 files · 172 linesJSON 1 files · 5 lines
Files of concern · 1
SKILL.md Hidden garbled text in metadata likely containing prompt injection · Credential harvesting through /og_claim command · Enterprise enrollment to arbitrary URLs · Fake security tool branding for trust · Social engineering test file read · https://core.company.com · [email protected]
Other files · _meta.json
Security positives
Skill does not contain actual executable code (no scripts/)
Skill does not have external dependency files (requirements.txt, package.json)