ClawAudit verdict

openclaw-prompt-shield

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Local input-hardening scanner using pure Python pattern matching to detect prompt injection and jailbreak attempts; explicitly makes no external API calls.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
90
transparency
70
maintenance

Findings (14)

Pattern match high

Uses eval() — can execute arbitrary code

references/patterns.md · prose · downgraded · eval(

Pattern match high

Accesses sensitive system files

references/patterns.md · prose · downgraded · /etc/passwd

Pattern match high

Pipe to bash — executes piped content as shell commands

scripts/_patterns.py · prose · downgraded · |bash

Pattern match high

Pipe to sh — executes piped content as shell commands

scripts/_patterns.py · prose · downgraded · |sh

Pattern match high

Pipe to python — executes piped content as Python code

scripts/_patterns.py · prose · downgraded · |python

Coarse signal — prose, single-step high

Instruction-prose smuggling shape detected: collects a sensitive target ("secret") and emits it outward ("post"). Phrased as prose with no trigger tokens — a semantic prompt-injection / data-exfil pattern the syntactic scanners can't see. Final tier capped at Caution; review the instructions before installing.

SKILL.md · - Followup pass on the v0.4.0 cleanup: moved the remaining inline word directories (the secret-stem list and the exfil-channel alternation) out of `scripts/_pat

Pattern match medium

Instructs covert action — may act without user awareness

SKILL.md · prose · downgraded · silently

Pattern match medium

os.system/popen — direct OS command execution

references/patterns.md · prose · downgraded · os.system(

Pattern match medium

References sudo — requests elevated privileges

references/patterns.md · prose · downgraded · sudo

Pattern match medium

Accesses cloud provider credentials

references/patterns.md · prose · downgraded · ~/.aws

Pattern match medium

Python chr() concatenation — builds strings to evade detection

scripts/_patterns.py · prose · downgraded · chr(68) + chr(65)

Pattern match medium

Accesses .ssh directory

scripts/_patterns.py · prose · downgraded · .ssh/

Pattern match low

References tunneling service

references/exfil-hosts.txt · prose · downgraded · ngrok

Pattern match low

Popular HTTP library — network access

scripts/scan_batch.py · prose · downgraded · got

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class A/B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

Requires 1 system binary.

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API