ClawAudit verdict
agentguard
security
GoPlus AgentGuard security framework for auditing installed skills, credentials, and network exposure; filesystem access is explicitly read-only for auditing purposes and the declared paths (`.ssh/`, `.gnupg/`) are stat-only checks, not key content reads, consistent with security auditing.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
agent_memory
Findings (24)
Pipe to bash — executes piped content as shell commands
SKILL.md · code · | Bash
Recursive delete from root or home — destructive command
SKILL.md · code · rm -rf /
Possible hardcoded credential
SKILL.md · code · credential: "A private key or API token was found in plain text in a file — it s
Accesses .ssh directory
SKILL.md · frontmatter · .ssh/
Pipe to sh — executes piped content as shell commands
SKILL.md · prose · downgraded · |sh
Accesses sensitive system files
action-policies.md · prose · downgraded · /etc/passwd
Pipe to python — executes piped content as Python code
scan-rules.md · prose · downgraded · | Python
Uses eval() — can execute arbitrary code
scan-rules.md · prose · downgraded · eval(
<script> tag in markdown — potential code injection
scripts/checkup-report.js · prose · downgraded · <script
References SSH/GPG private keys
SKILL.md · prose · downgraded · SSH_KEY
Accesses system credential store
evals.md · prose · downgraded · KEYCHAIN
Instructs covert action — may act without user awareness
SKILL.md · prose · downgraded · silently
Accesses cloud provider credentials
action-policies.md · prose · downgraded · ~/.aws
References sudo — requests elevated privileges
action-policies.md · prose · downgraded · sudo
Uses exec() — may execute shell commands
scan-rules.md · prose · downgraded · exec(
References child_process — can spawn system processes
scan-rules.md · prose · downgraded · child_process
Uses spawn() — can execute external programs
scan-rules.md · prose · downgraded · spawn(
os.system/popen — direct OS command execution
scan-rules.md · prose · downgraded · os.system(
Dynamic import() — loads module at runtime
scripts/auto-scan.js · prose · downgraded · import('
Base64 encoding/decoding
SKILL.md · prose · downgraded · base64-encode
References tunneling service
action-policies.md · prose · downgraded · ngrok
pip3 install — installs Python packages at runtime
action-policies.md · prose · downgraded · pip3 install
Popular HTTP library — network access
scan-rules.md · prose · downgraded · axios
Python os.getenv — reads environment variable
scan-rules.md · prose · downgraded · os.getenv(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
network_inagent_memory Is this flag fair?
Thanks — recorded.