← Back to Skills Marketplace
Senseguard
by
fermionoid
· GitHub ↗
· v1.0.1
1675
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install senseguard
Description
Semantic security scanner for OpenClaw skills. Detects prompt injection, data exfiltration, and hidden instructions that traditional code scanners miss. Use when user asks to scan skills, check skill safety, or run a security audit.
Usage Guidance
SenseGuard appears to implement the scanner it claims to be, but there are privacy and persistence trade-offs you should consider before installing:
- It reads many text files (including .env and other config-like files) when scanning to detect exfiltration and credential access — expect sensitive values to be read during scans.
- The tool caches scan results to ~/.openclaw/senseguard/cache.json. That cache can contain evidence snippets and generated prompts; inspect or encrypt/relocate the cache if you don't want scan artifacts stored in your home directory, or run with --no-cache.
- Semantic (Layer 2) analysis is performed by sending a constructed prompt to an LLM (the agent). If you enable deep/Layer 2 scanning or allow autonomous model invocation, the full skill content can be transmitted to the LLM provider. If that is unacceptable, avoid deep scans or run the tool in an isolated environment and/or ensure the LLM endpoint is trusted.
- The SKILL.md contains example malicious phrases (prompt-injection test cases) which triggered the pre-scan detector — this is expected for a scanner, not proof of malicious intent.
Recommendations before installing or running:
- Review the source files yourself (they are bundled) and verify the cache path and contents.
- Run initial scans in a controlled environment (sandbox or VM) and use --no-cache when scanning sensitive skills.
- If you need semantic Layer 2 analysis, decide whether your LLM provider and data-handling policies are acceptable for sending full skill content.
- If you have low tolerance for persistent artifacts, consider editing CacheManager to encrypt the cache or change the cache file location before use.
If you want, I can (a) point out exact lines that write/store layer2_prompt or evidence to the cache/report, (b) show how to run the scanner without Layer 2 or without caching, or (c suggest a minimal patch to avoid persisting evidence text in the cache.
Capability Analysis
Type: OpenClaw Skill
Name: senseguard
Version: 1.0.1
The OpenClaw skill 'senseguard' is a security scanner designed to detect prompt injection, data exfiltration, obfuscation, and persistence attacks in other OpenClaw skills. All code and documentation, including the SKILL.md and the `ANALYSIS_PROMPT_TEMPLATE` in `semantic_analyzer.py`, consistently describe and implement functionality for *detecting* malicious behavior, not performing it. The scanner generates prompts for an AI agent to analyze *other* skills, and its internal rules are designed to identify known attack patterns. There is no evidence of intentional harmful behavior or instructions for the agent to act maliciously.
Capability Assessment
Purpose & Capability
Name, description, and bundled code (rule engine, semantic analyzer, scanner, reputation scorer, rules) align with a semantic security scanner. It searches installed skills under ~/.openclaw/skills and workspace 'skills' which is expected for this purpose. The engine intentionally examines file types like .env and SKILL.md to find credential/exfiltration patterns — that is coherent for a security scanner, but may be surprising because it implies the tool will read sensitive files.
Instruction Scope
SKILL.md instructs the agent to run python scripts and to process a generated 'layer2_prompt' via the agent/LLM and feed the JSON back. That is necessary for semantic layer analysis but means the full skill content (potentially including secrets read from .env or other files) may be sent to whatever LLM the agent uses. The SKILL.md also contains example malicious phrases (e.g., 'ignore all previous instructions'), which triggered the pre-scan injection detector; this is expected for a scanner that demonstrates what to detect, but it also means the skill intentionally crafts test cases that match prompt-injection patterns.
Install Mechanism
No remote install hooks or downloads are declared; this is an instruction + bundled-code skill with no network-based install. That lowers supply-chain/install risk. All code is included in the package.
Credentials
The skill does not request environment variables or credentials, which matches its stated purpose. However, it explicitly scans files like .env, SKILL.md, and other text assets for secrets/patterns. Reading these files is logically consistent for a security scanner but is privacy-sensitive because scan output and cache may retain snippets of sensitive data.
Persistence & Privilege
always:false and the scanner does not attempt to modify other skills, but it writes persistent cache data to ~/.openclaw/senseguard/cache.json and stores scan results (including layer2_prompt and findings). That persistent storage can contain evidence snippets or generated prompts. The scanner's Layer 2 workflow also relies on the agent/LLM to process prompts — if you permit the agent to run Layer 2, scanned content may be transmitted to the LLM provider. Both cache persistence and LLM-driven analysis increase blast radius for accidental data exposure.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install senseguard - After installation, invoke the skill by name or use
/senseguard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Version 1.0.1 — Minor rule and logic updates for enhanced detection reliability.
- Improved detection logic in prompt injection rule.
- Updated reputation scoring mechanism for more accurate risk evaluation.
- Enhanced rule engine for better integration with new findings.
- Minor scanner script refinements for stability.
v1.0.0
v1.0.0 — Initial Release
SenseGuard is a lightweight semantic security scanner for OpenClaw skills. It complements VirusTotal's code-level malware scanning by focusing on what traditional scanners cannot see: natural language threats targeting AI agents.
VirusTotal sees SKILL.md as a text file. SenseGuard sees it as agent instructions — and catches prompt injection, data exfiltration, obfuscation, and persistence attacks hidden in plain text.
What's included:
3-layer detection: regex rules (instant, zero cost) + LLM semantic analysis (optional) + 0-100 reputation scoring
28 detection rules across 5 threat categories (prompt injection, data exfiltration, malicious code, persistence, obfuscation)
Markdown risk reports with evidence, line numbers, and actionable recommendations
SHA-256 content-hash caching (7-day expiry)
Minimal footprint: Only requires Python 3 + PyYAML. 12 files, no external API calls, no extra dependencies. The scanner runs locally in milliseconds for Layer 1; Layer 2 uses your own configured model when needed.
Metadata
Frequently Asked Questions
What is Senseguard?
Semantic security scanner for OpenClaw skills. Detects prompt injection, data exfiltration, and hidden instructions that traditional code scanners miss. Use when user asks to scan skills, check skill safety, or run a security audit. It is an AI Agent Skill for Claude Code / OpenClaw, with 1675 downloads so far.
How do I install Senseguard?
Run "/install senseguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Senseguard free?
Yes, Senseguard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Senseguard support?
Senseguard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Senseguard?
It is built and maintained by fermionoid (@fermionoid); the current version is v1.0.1.
More Skills