Openclaw Sec

The codebase (many TypeScript modules: prompt-injection, command-validator, url-validator, path-validator, secret-detector, content-scanner, plus tests and hooks) aligns with the described purpose of a real-time security validation suite. It does not request unrelated credentials or binaries in the registry metadata, which is appropriate. However, the registry lists 'No install spec — this is an instruction-only skill' while the package contains a full implementation and README instructs running npm install; that mismatch is an incoherence worth noting.

SKILL.md describes CLI commands and hooking into the host agent, stores logs and a local SQLite DB, and shows example inputs (including attack strings) and example notification/webhook configuration. The instructions ask the user to copy example config files and run npm install and to enable hooks for 'automatic protection' — these are reasonable for this tool, but the hooks and automatic protection mechanism means the skill will receive/validate user inputs and may be wired into agent I/O. The SKILL.md also contains many prompt-injection example strings (used for detection), which is expected for a security tool but flagged by the pre-scan as potential injection attempts — they appear in tests and examples, not as commands to override the evaluator.

The registry shows no formal install spec, yet the README and SKILL.md instruct users to run 'npm install' and to install via 'npx clawdhub ...'. Installing will fetch npm dependencies (package.json and large lockfiles are present) which is a moderate-risk step compared to an instruction-only skill. There are also hook scripts (hooks/install-hooks.sh, handler.ts files) which may modify the OpenClaw agent hooks/config when run. No external download URLs or shorteners are present in the supplied files, which reduces high-risk download concerns, but you should inspect package.json, its dependencies, and the hook scripts before running npm install or executing install hooks.

The registry requires no environment variables or credentials, which is consistent for an on-host validator. The example configuration (not mandatory) contains optional notification channels (webhook, Slack, Discord, SMTP) that would accept external credentials if enabled — those are optional but would expose scanned content externally if configured. The config also supports owner_ids that bypass checks; ensure you understand and control any bypass lists. There is no evidence the package demands unrelated cloud or system credentials by default.

always:false (no forced global inclusion) and model invocation is allowed (default) — appropriate. However, the skill includes 'auto-hooks' and an install script that can enable hooks in the OpenClaw workspace; installation will place files under ~/.openclaw/workspace/skills/openclaw-sec/ and write logs and a local DB by default. Hooks can change agent behavior (automatic protection) and could be configured to send notifications externally. Review hooks/install-hooks.sh and any hook registration steps — they can persist behavior across agent sessions and should be audited prior to enabling.