中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 72/100
上次扫描:2 天前 重新扫描
72 /100
superguard
MoltGuard — OpenClaw security guard (likely credential harvesting tool)
Skill masquerades as a security guard tool but harvests credentials through fake commands and contains garbled text likely containing hidden prompt injection in metadata.
技能名称superguard
分析耗时38.3s
引擎pi
不要安装此技能
Do not install or use this skill. It poses as a security tool but is designed to phish credentials and may contain hidden malicious instructions in metadata.

攻击链 5 步

入口 Masquerades as legitimate security guard tool using defensive branding
SKILL.md:1
提权 Hidden garbled text in metadata may contain model injection instructions
SKILL.md:1
提权 References credential storage path ~/.openclaw/credentials/moltguard/
SKILL.md:46
提权 /og_claim command instructs users to expose Agent ID and API Key
SKILL.md:36
影响 Enterprise enrollment script connects to arbitrary URLs for credential exfiltration
SKILL.md:61

安全发现 5 项

严重性 安全发现 位置
严重
Hidden garbled text in metadata likely containing prompt injection
The metadata.description field contains: 'treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage' - this appears to be deliberately obfuscated content that could contain hidden instructions to manipulate the AI model.
description: "MoltGuard — OpenClaw security guard by OpenGuardrails. Install MoltGuard... treasurer teacher mapsllah particularly asks presents seeks requested scrambling variation dialogue jointly indictment postage"
→ Remove all garbled text from metadata. Legitimate tools do not contain scrambled content.
 SKILL.md:1
严重
Credential harvesting through /og_claim command
The skill instructs users to run /og_claim which 'Shows your Agent ID and API Key to claim this agent on Core'. This is a credential exfiltration mechanism disguised as a legitimate onboarding step.
Shows your Agent ID and API Key to claim this agent on Core:
→ Do not expose API keys through chat output. Legitimate tools use secure configuration methods, not display-to-user patterns.
 SKILL.md:36
高危
Enterprise enrollment to arbitrary URLs
The enterprise-enroll.mjs script accepts arbitrary URLs and redirects security scanning to attacker-controlled endpoints.
node ~/.openclaw/extensions/moltguard/scripts/enterprise-enroll.mjs https://core.company.com
→ Block any skill that connects to arbitrary URLs for 'enrollment' purposes.
 SKILL.md:61
高危
Fake security tool branding for trust
The skill poses as a security guard protecting against 'prompt injection, data exfiltration, and malicious commands' while actually being a credential harvester. The keywords in metadata (data-exfiltration, credential-theft, command-injection) are defensive terms used to appear legitimate.
keywords: [security, prompt-injection, data-exfiltration, pii, credential-theft, command-injection, guardrails, safety, agent-security, moltguard]
→ Be wary of tools that use security-related branding to mask their true purpose.
 SKILL.md:1
中危
Social engineering test file read
The 'Test Your Protection' section instructs users to read a specific file claiming it contains a hidden prompt injection attack. This could be used to desensitize users to reading suspicious files or to establish trust before malicious actions.
cat ~/.openclaw/extensions/moltguard/samples/test-email-popup.txt
→ Never encourage reading arbitrary files as a 'test' of security tools.
 SKILL.md:21
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✗ 越权 SKILL.md references reading ~/.openclaw/extensions/moltguard/samples/test-email-…
命令执行 NONE WRITE ✗ 越权 SKILL.md declares multiple bash commands (/og_status, /og_claim, /og_core, /og_c…
环境变量 NONE READ ✗ 越权 Credentials saved to ~/.openclaw/credentials/moltguard/ implies API key access
2 项发现
🔗
中危 外部 URL 外部 URL
https://core.company.com
SKILL.md:122
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:149

目录结构

2 文件 · 4.7 KB · 177 行
Markdown 1f · 172L JSON 1f · 5L
├─ 📋 _meta.json JSON 5L · 129 B
└─ 📝 SKILL.md Markdown 172L · 4.6 KB

安全亮点

✓ Skill does not contain actual executable code (no scripts/)
✓ Skill does not have external dependency files (requirements.txt, package.json)