High Risknot manually reviewedcatalog importevidence: source-scanned

guard-scanner

Security scanner and runtime guard for AI agent skills. 358 static threat patterns across 35 categories + 27 runtime checks (5 defense layers). Use when scanning skill directories for security threats, auditing npm/GitHub/ClawHub assets for leaked credentials, running real-time file watch during development, integrating security checks into CI/CD pipelines (SARIF/JSON), setting up MCP server for editor-integrated scanning (Cursor, Windsurf, Claude Code, OpenClaw), or runtime guarding tool calls via the OpenClaw v2026.3.8 before_tool_call hook. Single dependency (ws). MIT licensed.

overall score

Publisher

koatora20

Version

source-scanned

Updated

2026-03-15

Tags

coding-agents-and-idesawesome-indexcatalog-only

+ 1 more

Potentially suspicious implementation signals detected: eval(, rm -rf, sudo , password.

Install decision: Promising, but expect setup and external dependencies.

Caution signal

Suspicious signals detected

Review state

Static analysis only

Evidence points

Capability surface

6 capability signals

evidence snapshotbaseline safety checks passedfollow-on functionality checks passedno manual review yetsource-scanned evidence

Top row only: current live test result, deeper follow-on result, review presence, and evidence level. Each runtime badge is a quick human summary, not just an internal lane name.

Fresh runtime neighbors Stale runtime neighbors

✉️ Quick review

✉️ Review postcard

RatioDaemon on guard-scanner

Guard Scanner is built for security scanner and runtime guard for AI agent skills. Follow-on functionality checks currently pass without failed checks, the trust label is High Risk, and setup looks advanced.

This note is generated from the latest receipts and refreshed when the testing engine touches the skill again.

RatioDaemon note

RatioDaemon on Guard Scanner

Full commentary lives in the editorial lane so this skill page can stay focused on the evidence, setup guidance, and technical receipts.

Open full RatioDaemon note

Evidence strengthStronger evidence: source-level scan available

Evidence basisSource-aware static scan of the upstream skill repo

Current runtime resultPassed follow-on functionality checks, which suggests the skill handled this test lane without obvious failures. Useful evidence, not a blanket safety guarantee.

baseline safety checks passed8/8 passedclean history

show baseline lane summary

Baseline-v3: the generic safety lane. This is where source-mount, write-boundary, network-denial, fake-env, secret-path, and docker-socket checks live.

Failure confidence: Currently passing with no earlier failed rows recorded for this suite.

📦 Source mountpassed

Makes sure the skill source actually appears inside the isolated test environment, so the rest of the run is testing the real files rather than failing on setup.

🔒 Source write guardpassed

Checks that the skill cannot modify its mounted source files during the run. That matters because a test should observe the code, not let it rewrite the evidence.

📝 Workspace writepassed

Checks that the skill can write only in the temporary workspace it is supposed to use, not elsewhere in the environment.

🌐 Hostname network denialpassed

Checks that ordinary outbound network requests by hostname are blocked. A pass suggests the sandbox really is limiting internet access.

🧱 Raw-IP network denialpassed

Checks that direct network requests by raw IP are also blocked, so the skill cannot sidestep the hostname block with a simpler network trick.

🧪 Fake-env handlingpassed

Injects canary credentials and watches what the skill does with them. This helps catch skills that echo, leak, or mishandle sensitive-looking values.

🗝️ Secret-path isolationpassed

Checks that obvious host secret locations are not visible in the sandbox. A pass is reassuring, but it does not prove every possible secret location is covered.

🐳 Docker socket denialpassed

Checks that the container cannot touch the host Docker socket, which would otherwise be a dangerous path to broader control of the machine.

follow-on functionality checks passed10/10 passed

show follow-on lane summary

functionality-v2: the adaptive follow-on lane layered on top of baseline-v3. It only checks the file types this repo actually contains, then adds higher-signal sanity like manifest identity, package entrypoints, docs links, fixtures, and language-aware smoke tests when those surfaces exist.

Failure confidence: Currently passing with no earlier failed rows recorded for this suite.

🧭 skill structure🪪 _meta.json shape🧬 _meta.json identity🧾 json parse🐚 shell syntax🟢 node syntax📦 package.json shape🚪 package entrypoints🔒 package-lock shape🔗 docs link integrity

Jump to technical runtime details

Before you install

✅ Good fit if...

You prefer skills that already survived the current runtime lane (functionality-v2).
You are specifically looking for coding-agents-and-ides / awesome-index workflows.

🧰 Before you install...

Expect setup work: this skill references 12 env vars.
Assume outside service calls are part of the story: 12 external domain references showed up.
Expect local command execution or subprocess behavior, not just polite in-memory logic.

⚠️ Watch out for...

Suspicious signals are present; this is not just a broader capability surface doing ordinary work.
The capability surface is non-trivial: this skill touches higher-privilege or higher-impact areas.

Why this label

This landed in High Risk because suspicious patterns or dangerous signal combinations outweighed ordinary provenance and utility clues.

Uncertainty: Source-level evidence helps, but this is still largely static-analysis-first unless a manual review is present.

Evidence strengthStronger evidence: source-level scan available

Suspicious signals4

Higher-impact signals9

Env / secret refs12

Network refs12

Shell signals8

Capability surface and suspicious signals

Capability surface

These increase access or impact, but they are not the same thing as deceptive or malicious behavior.

env vars: 12external refs: 12shell / subprocess usefile write signalsbrowser automationhigher-impact domains

Capability summary

Requires secrets or environment variables to unlock full functionality.References external services or network endpoints.Can invoke shell commands or subprocess-style behavior.

+ 3 more

Suspicious behaviors

These are the signals that count much more heavily against the score.

suspicious signals detected

Suspicious implementation patterns detected: eval(, rm -rf, sudo , password.

Evidence

Env vars

A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8A2AA2A_AGENT_CARD_POISON

+ 9 more

Domains

169.254.169.254/latest/meta-data169.254.169.254/latest/meta-data/iam/security-credentials91.92.242.30/payload

+ 9 more

Binaries

ffmpegghtmux

+ 6 more

Shell signals

exec(spawn(subprocess

+ 5 more

Suspicious

eval(rm -rfsudo

+ 1 more

Read this section in two layers: capability surface shows what the skill can touch, while suspicious signals show what looks deceptive or riskier than ordinary integrations.

🧪 Technical runtime details

baseline safety checks passedtested 2026-03-15 12:00 UTC8 of 8 baseline-v3 checks passedsuite: baseline-v3suite version: baseline-v3harness: 2026-03-13dclassification: passed

This is the raw runtime layer: baseline-v3 first, then the follow-on lane when available. The postcard above is the fast read; the receipts below are the technical view.

🛠 functionality-v2

This is the follow-on adaptive lane: source-aware smoke checks for the file types actually present in this skill after it already cleared baseline-v3. Depending on the repo shape, that can include manifest identity, package entrypoints, docs-link integrity, shipped fixture validation, and real help-smoke runs.

status: passed10 / 10 passedsuite: functionality-v2harness: 2026-03-13p

Selection reasonuntested

Failure confidenceCurrently passing with no earlier failed rows recorded for this suite.

Source fingerprint51d6234593d78b95a2c7a2dd8345689d11828fcf8f136d12c1a467b241c92119

Baseline dependencybaseline-v3

Profile labelsjson, shell, node, markdown, meta-json, package-json, package-lock

🧭 skill structurestatus: passedpassedexit 0250 ms

tap for adaptive receipts

Commandsh -lc test -s /source/SKILL.md && grep -Eq "^#{1,6} " /source/SKILL.md && echo skill-structure-ok

Observed stdoutskill-structure-ok

Observed stderr—

Workspace artifacts0

🪪 _meta.json shapestatus: passedpassedexit 0252 ms

tap for adaptive receipts

Command

node -e const fs=require("fs"); const files=process.argv.slice(1); for (const file of files) { const meta=JSON.parse(fs.readFileSync(file, "utf8")); if (!meta || Array.isArray(meta) || typeof meta !== "object") throw new Error(`${file}: _meta.json must be an object`); if (typeof meta.owner !== "string" || !meta.owner) throw new Error(`${file}: owner missing`); if (typeof meta.slug !== "string" || !meta.slug) throw new Error(`${file}: slug missing`); if (!meta.latest || typeof meta.latest !== "object") throw new Error(`${file}: latest missing`); if (typeof meta.latest.version !== "string" || !meta.latest.version) throw new Error(`${file}: latest.version missing`); if (typeof meta.latest.publishedAt !== "number") throw new Error(`${file}: latest.publishedAt missing`); } console.log(`meta-json-shape-ok:${files.length}`); /source/_meta.json

Observed stdoutmeta-json-shape-ok:1

Observed stderr—

Workspace artifacts0

🧬 _meta.json identitystatus: passedpassedexit 0258 ms

tap for adaptive receipts

Command

node -e const fs=require("fs"); const expectedOwner=process.argv[1]; const expectedSlug=process.argv[2]; const files=process.argv.slice(3); for (const file of files) { const meta=JSON.parse(fs.readFileSync(file, "utf8")); if (meta.owner !== expectedOwner) throw new Error(`${file}: owner mismatch ${meta.owner} !== ${expectedOwner}`); if (meta.slug !== expectedSlug) throw new Error(`${file}: slug mismatch ${meta.slug} !== ${expectedSlug}`); if (meta.history && !Array.isArray(meta.history)) throw new Error(`${file}: history must be an array`); for (const entry of meta.history || []) { if (typeof entry.version !== "string" || !entry.version) throw new Error(`${file}: history.version missing`); if (typeof entry.publishedAt !== "number") throw new Error(`${file}: history.publishedAt missing`); } } console.log(`meta-json-identity-ok:${files.length}`); koatora20 guard-scanner /source/_meta.json

Observed stdoutmeta-json-identity-ok:1

Observed stderr—

Workspace artifacts0

🧾 json parsestatus: passedpassedexit 0260 ms

tap for adaptive receipts

Command

node -e const fs=require("fs"); const files=process.argv.slice(1); for (const file of files) JSON.parse(fs.readFileSync(file, "utf8")); console.log(`json-parse-ok:${files.length}`); /source/_meta.json /source/docs/data/corpus-metrics.json /source/docs/data/latest.json /source/docs/generated/npm-audit-20260312.json /source/docs/generated/openclaw-upstream-status.json /source/docs/spec/capabilities.json /source/docs/spec/finding.schema.json /source/docs/spec/sbom.json /source/openclaw.plugin.json /source/package-lock.json /source/package.json /source/test/fixtures/corpus/security-corpus.json /source/test/fixtures/malicious-skill/package.json /source/tsconfig.build.json /source/tsconfig.json

Observed stdoutjson-parse-ok:15

Observed stderr—

Workspace artifacts0

🐚 shell syntaxstatus: passedpassedexit 0232 ms

tap for adaptive receipts

Command

bash -lc for file do bash -n "$file"; done && echo shell-syntax-ok:$# functionality-shell /source/test/fixtures/owasp-asi03-identity/hijack.sh

Observed stdoutshell-syntax-ok:1

Observed stderr—

Workspace artifacts0

🟢 node syntaxstatus: passedpassedexit 0638 ms

tap for adaptive receipts

Command

sh -lc for file do node --check "$file"; done && echo node-syntax-ok:$# functionality-node /source/bench.js /source/dist/__tests__/scanner.test.js /source/dist/cli.js /source/dist/index.js /source/dist/ioc-db.js /source/dist/patterns.js /source/dist/quarantine.js /source/dist/scanner.js /source/dist/types.js /source/hooks/context.js /source/scripts/benchmark.js /source/scripts/check-openclaw-upstream.js /source/scripts/clawhub-scan.js /source/scripts/corpus-metrics.js /source/scripts/generate-capabilities.js /source/scripts/generate-readme-metrics.js /source/scripts/generate-readme-stats.js /source/scripts/generate-rule-docs.js /source/scripts/generate-sbom.js /source/scripts/lint.js /source/scripts/perf-regression.js /source/scripts/release-gate.js /source/scripts/scan-all.js /source/scripts/sync-capabilities.js

Observed stdoutnode-syntax-ok:24

Observed stderr—

Workspace artifacts0

📦 package.json shapestatus: passedpassedexit 0235 ms

tap for adaptive receipts

Command

node -e const fs=require("fs"); const files=process.argv.slice(1); for (const file of files) { const pkg=JSON.parse(fs.readFileSync(file, "utf8")); if (!pkg || Array.isArray(pkg) || typeof pkg !== "object") throw new Error(`${file}: package.json must be an object`); if (pkg.scripts && (Array.isArray(pkg.scripts) || typeof pkg.scripts !== "object")) throw new Error(`${file}: scripts must be an object when present`); if (pkg.dependencies && (Array.isArray(pkg.dependencies) || typeof pkg.dependencies !== "object")) throw new Error(`${file}: dependencies must be an object when present`); } console.log(`package-json-shape-ok:${files.length}`); /source/package.json /source/test/fixtures/malicious-skill/package.json

Observed stdoutpackage-json-shape-ok:2

Observed stderr—

Workspace artifacts0

🚪 package entrypointsstatus: passedpassedexit 0242 ms

tap for adaptive receipts

Command

node -e const fs=require("fs"); const path=require("path"); const exts=["",".js",".mjs",".cjs",".json","/index.js","/index.mjs","/index.cjs"]; const existsTarget=(base,target)=>{ if (typeof target !== "string" || !target || /^(node:|https?:|@)/.test(target)) return true; const resolved=path.resolve(base,target); return exts.some((suffix)=>fs.existsSync(resolved + suffix)); }; const files=process.argv.slice(1); for (const file of files) { const pkg=JSON.parse(fs.readFileSync(file, "utf8")); const base=path.dirname(file); if (typeof pkg.main === "string" && !existsTarget(base,pkg.main)) throw new Error(`${file}: missing main target ${pkg.main}`); if (typeof pkg.bin === "string" && !existsTarget(base,pkg.bin)) throw new Error(`${file}: missing bin target ${pkg.bin}`); if (pkg.bin && typeof pkg.bin === "object" && !Array.isArray(pkg.bin)) { for (const [name,target] of Object.entries(pkg.bin)) { if (!existsTarget(base,target)) throw new Error(`${file}: missing bin target for ${name}: ${target}`); } } } console.log(`package-json-entrypoints-ok:${files.length}`); /source/package.json

Observed stdoutpackage-json-entrypoints-ok:1

Observed stderr—

Workspace artifacts0

🔒 package-lock shapestatus: passedpassedexit 0240 ms

tap for adaptive receipts

Command

node -e const fs=require("fs"); const files=process.argv.slice(1); for (const file of files) { const lock=JSON.parse(fs.readFileSync(file, "utf8")); if (!lock || Array.isArray(lock) || typeof lock !== "object") throw new Error(`${file}: package-lock must be an object`); if (!Number.isFinite(lock.lockfileVersion)) throw new Error(`${file}: lockfileVersion missing`); const hasPackages=lock.packages && typeof lock.packages === "object" && !Array.isArray(lock.packages); const hasDependencies=lock.dependencies && typeof lock.dependencies === "object" && !Array.isArray(lock.dependencies); if (!hasPackages && !hasDependencies) throw new Error(`${file}: packages/dependencies missing`); } console.log(`package-lock-shape-ok:${files.length}`); /source/package-lock.json

Observed stdoutpackage-lock-shape-ok:1

Observed stderr—

Workspace artifacts0

🔗 docs link integritystatus: passedpassedexit 0330 ms

tap for adaptive receipts

Command

python3 -c import pathlib, re, sys
root=pathlib.Path("/source").resolve()
pattern=re.compile(r"[[^]]+](([^)]+))")
missing=[]
checked=0
for file in [pathlib.Path(p) for p in sys.argv[1:]]:
    try:
        text=file.read_text(encoding="utf-8")
    except Exception:
        continue
    for target in pattern.findall(text):
        target=target.strip().strip("<>")
        if not target or target.startswith(("http://","https://","mailto:","#")):
            continue
        target=target.split("#",1)[0].strip()
        if not target:
            continue
        checked += 1
        resolved=(file.parent / target).resolve()
        try:
            resolved.relative_to(root)
        except ValueError:
            missing.append(f"{file}: outside-source link -> {target}")
            continue
        if not resolved.exists():
            missing.append(f"{file}: missing -> {target}")
if missing:
    raise SystemExit("\n".join(missing[:20]))
print(f"docs-local-links-ok:{checked}") /source/CHANGELOG.md /source/CODE_OF_CONDUCT.md /source/CONTRIBUTING.md /source/docs/EVIDENCE_DRIVEN.md /source/docs/glossary.md /source/docs/OPENCLAW_DOCS_PR_READY_PATCH.md /source/docs/OPENCLAW_HOOK_SCHEMA_REFERENCE_DRAFT.md /source/docs/openclaw-compatibility-audit.md /source/docs/openclaw-continuous-compatibility-plan.md /source/docs/rules/a2a-contagion.md /source/docs/rules/advanced-exfil.md /source/docs/rules/agent-protocol.md /source/docs/rules/api-abuse.md /source/docs/rules/autonomous-risk.md /source/docs/rules/config-impact.md /source/docs/rules/credential-handling.md /source/docs/rules/cve-patterns.md /source/docs/rules/data-exposure.md /source/docs/rules/exfiltration.md /source/docs/rules/financial-access.md /source/docs/rules/identity-hijack.md /source/docs/rules/inference-manipulation.md /source/docs/rules/leaky-skills.md /source/docs/rules/malicious-code.md

Observed stdout—

Observed stderr—

Workspace artifacts0

Selection reasonuntested

Failure confidenceCurrently passing with no earlier failed rows recorded for this suite.

Source fingerprint51d6234593d78b95a2c7a2dd8345689d11828fcf8f136d12c1a467b241c92119

Worker hostoc-sandbox

Source cache hitno

Suite duration2526 ms

📦 Source mountstatus: passedpassedexit 0281 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Command

sh -lc find /source -maxdepth 2 -type f | sort | sed -n "1,12p" > /workspace/source-files.txt && wc -l /workspace/source-files.txt && cat /workspace/source-files.txt

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced1

stdout size289 B

stderr size0 B

stdout sha256743968c6ff7a4a30f5f30e4e04e286af82184feeda08c594088b25f2ab0727e5

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

12 /workspace/source-files.txt
/source/CHANGELOG.md
/source/CODE_OF_CONDUCT.md
/source/CONTRIBUTING.md
/source/GOVERNANCE.md
/source/MAINTAINERS.md
/source/README.md
/source/README_ja.md
/source/ROADMAP-RESEARCH.md
/source/ROADMAP.md
/source/SECURITY.md
/source/SKILL.md
/source/STATUS.md

Observed stderr:

(empty)

Workspace artifacts:

source-files.txt (258 B)

🔒 Source write guardstatus: passedpassedexit 0265 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Command

sh -lc touch /source/driftbot-write-test >/tmp/source-write.out 2>&1 || true; if grep -Eiq "Read-only file system|Permission denied" /tmp/source-write.out || [ ! -e /source/driftbot-write-test ]; then echo source-readonly; fi

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced0

stdout size16 B

stderr size0 B

stdout sha256a65af92097dc754e9cac4a455c5378d78b05e7927705ae45e1d20a24c4c1fd3c

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

source-readonly

Observed stderr:

(empty)

Workspace artifacts:

No workspace artifacts produced.

📝 Workspace writestatus: passedpassedexit 0233 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Command

sh -lc echo workspace-ok > /workspace/write-check.txt && grep -q "workspace-ok" /workspace/write-check.txt && echo workspace-write-ok

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced1

stdout size19 B

stderr size0 B

stdout sha25681487f7df7b83c1d3fae9c36fb1009328fa34feca0f5c1581674de4cba29e6f5

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

workspace-write-ok

Observed stderr:

(empty)

Workspace artifacts:

write-check.txt (13 B)

🌐 Hostname network denialstatus: passedpassedexit 0256 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Command

sh -lc wget -T 3 -qO- http://example.com >/tmp/http-host.out 2>&1 || true; grep -Eiq "bad address|network is unreachable|timed out|failed|refused" /tmp/http-host.out && echo network-host-blocked

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced0

stdout size21 B

stderr size0 B

stdout sha256aa4c95f392f2c19669ae67769237c23b54efb5f5e26a8ac8f11162ef28e7f141

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

network-host-blocked

Observed stderr:

(empty)

Workspace artifacts:

No workspace artifacts produced.

🧱 Raw-IP network denialstatus: passedpassedexit 0222 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Command

sh -lc wget -T 3 -qO- http://1.1.1.1 >/tmp/http-ip.out 2>&1 || true; grep -Eiq "bad address|network is unreachable|timed out|failed|refused" /tmp/http-ip.out && echo network-ip-blocked

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced0

stdout size19 B

stderr size0 B

stdout sha256ee48345f6e97282a8b1f42753df3c9b37886403c60b09a044657b95126bae8b1

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

network-ip-blocked

Observed stderr:

(empty)

Workspace artifacts:

No workspace artifacts produced.

🧪 Fake-env handlingstatus: passedpassedexit 0238 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Commandsh -lc env | grep -E "OPENAI_API_KEY|SLACK_BOT_TOKEN|GITHUB_TOKEN" | sed "s/=.*$/=REDACTED/"

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedyes

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced0

stdout size71 B

stderr size0 B

stdout sha256d714e2d3c2043f53d26d2deebac9b26a17f96f8d20158469b586bb598bc80c57

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

GITHUB_TOKEN=REDACTED
SLACK_BOT_TOKEN=REDACTED
OPENAI_API_KEY=REDACTED

Observed stderr:

(empty)

Workspace artifacts:

No workspace artifacts produced.

🗝️ Secret-path isolationstatus: passedpassedexit 0243 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Commandsh -lc test ! -e /root/.ssh && test ! -e /home/claw1/.ssh && test ! -e /workspace/.ssh && echo no-host-secrets

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced0

stdout size16 B

stderr size0 B

stdout sha256e95cf953e01cafd431be70f0f5539c4c0ae8961ef5cff96d968a29509597c797

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

no-host-secrets

Observed stderr:

(empty)

Workspace artifacts:

No workspace artifacts produced.

🐳 Docker socket denialstatus: passedpassedexit 0239 ms

tap for the raw receipts

Tested at2026-03-15 12:00 UTC

Commandsh -lc test ! -S /var/run/docker.sock && echo no-docker-socket

Classificationpassed

Image digestbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8

Worker hostoc-sandbox

Harness version2026-03-13d

Suite versionbaseline-v3

Networknone

Fake env injectedno

Fake env leaknot detected

Read-only rootyes

No new privilegesyes

Capabilities droppedyes

Source files staged206

Workspace files produced0

stdout size17 B

stderr size0 B

stdout sha256702d41c3742c72aff24f584ad0138f2df38b424090d03d3b3e85e3212f0df2ef

stderr sha256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Observed stdout:

no-docker-socket

Observed stderr:

(empty)

Workspace artifacts:

No workspace artifacts produced.

What this proves: the skill really executed inside the isolated worker, under the listed sandbox constraints, with captured output and artifacts. What this does not prove: comprehensive safety, benign intent in every context, or correctness under real credentials and live network access.

Publisher and provenance

Listed in the VoltAgent awesome-openclaw-skills catalog under Coding Agents And Ides and lightly source-scanned from openclaw/skills. This is stronger evidence than catalog metadata alone, but still not a full runtime audit.

Source type: awesome-index

Source path: https://github.com/openclaw/skills/tree/main/skills/koatora20/guard-scanner/SKILL.md

Source URL: https://github.com/openclaw/skills/tree/main/skills/koatora20/guard-scanner/SKILL.md

Discovery category: Coding Agents And Ides

Manual review

No human review yet. The scorecard is currently static-analysis-first.

Community signals

These are community attention markers, not crowd-sourced truth. Click what feels especially worth flagging or reviewing.

Related skills

kefir-batch-manager

p-salmon · Trusted

overall

Comprehensive kéfir batch management system with cycle tracking, intelligent reminders, grain health monitoring, and recipe management. Use when managing kéfir fermentation cycles, tracking grain health, calculating ratios, scheduling reminders, or maintaining fermentation records.

echo-agent

krishna3554 · Trusted

overall

EchoAgent is a minimal OpenClaw-compatible skill.

japanese-tutor

chndranndr · Trusted

overall

Interactive Japanese learning assistant. Supports vocabulary, grammar, quizzes, roleplay, PDF/DOCX material parsing for study/homework help, and OCR translation.