ClawAudit verdict
security-operator
Receives external input AND uses eval
Runtime security guardrails skill defining operating modes and always-on protections against prompt injection; the content explicitly defines safe boundaries and requires user approval for high-risk actions.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Receives external input AND uses eval — the remote code-injection pattern (data-flow not verified)
LLM01 · LLM05 · ASI01 · ASI05
Encodes data AND uses eval — the obfuscated-execution pattern (atob + eval; data-flow not verified)
LLM05 · ASI05 · ASI10
Findings (7)
Pipe to bash — executes piped content as shell commands
SKILL.md · code · |bash
Pipe to sh — executes piped content as shell commands
SKILL.md · code · |sh
Prompt injection — tries to override agent instructions
references/prompt-injection-guardrails.md · prose · downgraded · ignore previous instructions
Accesses OpenClaw config/secrets directly
SKILL.md · code · ~/.openclaw/.env
Popular HTTP library — network access
SKILL.md · code · axios
References sudo — requests elevated privileges
SKILL.md · prose · downgraded · sudo
Instructs covert action — may act without user awareness
SKILL.md · prose · downgraded · silently
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
credential_accessnetwork_indynamic_evaldata_encoding Thanks — recorded.