ClawAudit verdict

security-sentinel

security-sentinel-skill

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Prompt injection and jailbreak detection skill that blocks malicious inputs using pattern matching and penalty scoring; purely defensive content with no malicious behavior.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
90
transparency
70
maintenance

Findings (22)

Pattern match critical

Prompt injection — tries to override agent instructions

SKILL.md · code · ignore all previous instructions

Pattern match critical

Instructs agent to hide actions from user

advanced-threats-2026.md · code · do not notify the user

Pattern match critical

Accesses AWS credentials file

blacklist-patterns.md · code · ~/.aws/credentials

Pattern match critical

Unicode homoglyph detected — uses lookalike characters to evade pattern matching

blacklist-patterns.md · code

Pattern match critical

Raw model control tokens — prompt injection via token manipulation

blacklist-patterns.md · code · <|im_start|>

Pattern match critical

<script> tag in markdown — potential code injection

blacklist-patterns.md · code · <script>

Pattern match critical

Recursive delete from root or home — destructive command

blacklist-patterns.md · code · rm -rf /

Pattern match critical

Accesses Google Cloud credentials

credential-exfiltration-defense.md · code · ~/.config/gcloud

Pattern match critical

Possible hardcoded credential

SECURITY.md · code · Token: "YOUR_AGENT_BOT_TOKEN

Pattern match high

Possible prompt injection — attempts to redefine agent identity

SKILL.md · code · You are now

Pattern match high

Accesses .ssh directory

credential-exfiltration-defense.md · code · .ssh/

Pattern match high

Accesses cloud provider credentials

blacklist-patterns.md · code · ~/.aws

Pattern match high

References sudo — requests elevated privileges

blacklist-patterns.md · code · sudo

Pattern match high

Redefines agent role — prompt injection technique

blacklist-patterns.md · code · from now on, you are

Pattern match high

Data URI with base64 payload — may embed malicious content

blacklist-patterns.md · code · data:text/html,<script>ignore previous</script>" "data:text/plain;base64,

Pattern match high

Accesses Kubernetes config (may contain cluster credentials)

credential-exfiltration-defense.md · code · ~/.kube/config

Pattern match high

Accesses system credential store

credential-exfiltration-defense.md · code · Keychain

Pattern match high

Instructs covert action — may act without user awareness

SECURITY.md · code · Silently

Pattern match medium

Base64 encoding/decoding

blacklist-patterns.md · code · base64_decode

Pattern match medium

References agent memory files

memory-persistence-attacks.md · code · MEMORY.md

Pattern match medium

Popular HTTP library — network access

multilingual-evasion.md · code · got

Pattern match low

pip3 install — installs Python packages at runtime

install.sh · prose · downgraded · pip3 install

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class A/C). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

No declared permissions — minimal attack surface.

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API