Skill: Guardian

Owner: bluemax30001

Summary: Local-first security scanner for OpenClaw agents. Detects prompt injection, exfiltration patterns, tool abuse, and social engineering using bundled signatures.

Tags: latest:2.2.0

Version history:

v2.2.0 | 2026-02-27T19:10:42.899Z | user

Fix dashboard expansion state: blocked/flagged/critical/high items now expand by default, user toggles persist via localStorage across auto-refresh (BL-038). 183 tests passing.

v2.1.0 | 2026-02-27T13:14:34.224Z | user

Pro tier foundation: Stripe billing integration (SubscriptionManager, webhook handling, billing portal), premium gated endpoints, 60 new billing tests. Packaging fix: billing module correctly scoped inside skill directory. Version metadata bumped across SKILL.md, _meta.json, pyproject.toml. 180 tests passing.

v2.0.20 | 2026-02-26T03:08:58.222Z | user

v2.0.20: Fix --dry-run misleading success message (now shows [DRY RUN] prefix). Fix blank trusted channels in onboarding notification (now shows helpful fallback). Fix test_api/integrations/serve ModuleNotFoundError via conftest sys.path. 121 tests passing.

v2.0.19 | 2026-02-25T22:38:48.226Z | user

Fix: API now binds to 0.0.0.0 so remote dashboard actions (dismiss/approve/block) work. Fix: full context expansion with evidence highlight. Fix: Scanned Today KPI added. Fix: threat merge logic uses richer data source.

v2.0.18 | 2026-02-25T21:04:43.591Z | user

Dashboard UX overhaul: split warning/blocked sections, inline context with highlighted evidence, state-based actions, channel volume metrics, persistent dismiss state, capability restriction layer, override audit trail.

v2.0.17 | 2026-02-25T04:07:19.387Z | user

Dashboard loading hardening: API-first with fallback, timeout guards, split warning/blocked review sections, and stability fixes.

v2.0.14 | 2026-02-24T05:38:40.348Z | user

Clarify install mechanism/scope/privacy and optional outbound behavior; remove trigger-phrase examples from README.

v2.0.13 | 2026-02-24T00:52:59.495Z | user

Remove metadata env requirements to avoid required-env mismatch; keep env reads documented as optional in SKILL.md.

v2.0.12 | 2026-02-24T00:35:21.174Z | user

Fix metadata/env consistency for evaluator, document OPENCLAW_* env reads, and tighten allowlist safety wording.

v2.0.11 | 2026-02-23T23:53:38.352Z | user

Resubmit package for moderation refresh after VT-clean evidence escalation.

v2.0.10 | 2026-02-23T11:18:43.316Z | user

Add onboarding checklist + post-install hint; keep optional HTTP/webhook documented; bundled signatures intact.

v2.0.9 | 2026-02-23T05:12:30.175Z | user

Restore optional HTTP server and webhook; document network/shell permissions; keep core defs bundled.

v2.0.8 | 2026-02-23T05:09:24.954Z | user

Add onboarding cron helper back (documented), keep core signatures bundled, docs stay accurate.

v2.0.7 | 2026-02-23T04:52:28.392Z | user

Restore bundled signatures; keep docs accurate; retain core definitions in package.

v2.0.6 | 2026-02-23T03:09:34.964Z | user

Fix documentation accuracy: remove misleading network claims, exclude non-core scripts (webhook, HTTP server, onboard), trim SKILL.md to match actual runtime behavior

v2.0.5 | 2026-02-22T06:44:12.330Z | user

Clean install.sh, remove stale encoded refs, trim SKILL.md scope for scan compliance

v2.0.4 | 2026-02-22T05:24:01.330Z | user

Fix security scan compliance: add metadata.openclaw frontmatter, fix .clawhubignore patterns, exclude plaintext definitions and update utility

v2.0.3 | 2026-02-21T13:33:10.503Z | user

v2.0.3: tighten package (.clawhubignore runtime-only), add SECURITY note, encoded defs only, no external exec; includes capability restriction layer.

v2.0.2 | 2026-02-21T03:53:51.108Z | user

v2.0.2: Encoded signature definitions to prevent false positive security scan flags. 161 signatures, 123 tests, production hardened.

v2.0.1 | 2026-02-21T03:46:35.325Z | user

v2.0.1: Clean republish. 161 signatures, 123 tests passing, production hardened.

v2.0.0 | 2026-02-21T03:12:26.893Z | user

v2.0.0: 161 signatures (infostealer, memory poisoning, ToxicSkills, Telegram OAuth patterns), cron dedup fix, dev file cleanup, full test suite (123 passing), dry-run UX fix, trusted channels fallback.

v1.12.0 | 2026-02-20T22:10:11.651Z | user

161 threat signatures (+11 new): Vidar infostealer targeting OpenClaw configs (EXF-033), AI memory poisoning via web content (INJ-053), ToxicSkills base64/shell injection (TAB-028-030), Telegram OAuth session hijacking suite (SOC-021-026, EXF-034-037), AI deepfake persona lures (SOC-027). Plus: cron dedup guard + --clean-crons, .clawhubignore for clean package, 108 tests all passing, manifest accuracy enforced.

v1.11.0 | 2026-02-20T17:47:59.742Z | user

7-action threat menu: Block Sender, Escalate, Report False Positive, View Similar, Approve, Ignore, Dismiss. New blocklist + false_positive_reports DB tables. Full API + UI. Plus Guardian Marketing/GTM automation skill to drive adoption.

v1.10.1 | 2026-02-20T05:43:06.321Z | user

Re-publish to trigger ClawHub security scan (no code changes from 1.10.0)

v1.10.0 | 2026-02-20T04:03:48.219Z | user

v1.10.0: Dashboard accuracy overhaul — severity sort fixed (chronological not score), critical banner now only fires for unhandled threats, one-click Approve flow creates allowlist patterns from real detections. QA: 4/4 passing.

v1.9.0 | 2026-02-20T03:14:25.912Z | user

Alert context view (3 lines before/after), signature count fix, Control UI integration, channels breakdown, dashboard UX improvements

v1.8.0 | 2026-02-19T20:07:49.424Z | user

v1.8.0: False positive suppression (90% reduction), allowlist for system messages, daily digest to Telegram, UX polish (story hook + better invocation), privacy fixes. QA: 7/7 beats passing.

v1.7.2 | 2026-02-19T19:17:42.435Z | user

Fixed install.sh workspace detection - marker now written to workspace root

v1.7.1 | 2026-02-19T19:16:12.370Z | user

v1.7.1: Fixed install.sh workspace detection - activation marker now correctly written to workspace root (not skill directory). Fresh installs now properly trigger auto-activation flow.

v1.7.0 | 2026-02-19T10:39:19.380Z | user

v1.7.0: Privacy audit — removed all personal data from distributed package. Added .clawhubignore (.venv, db files, live data excluded). Fixed data leak in onboard.py (no longer reads developer's own scan stats for fresh installs). config.json trusted_sources now ships empty with guidance note. SKILL.md IP example genericised.

v1.6.0 | 2026-02-19T10:27:40.166Z | user

v1.6.0: README rewritten around the user story — leads with the problem ('heard about security risks'), shows the install-to-protected journey, plain English throughout. Technical docs moved below the fold.

v1.5.0 | 2026-02-19T10:24:14.913Z | user

v1.5.0: Complete self-activation flow. install.sh writes .guardian-activate-pending marker. Agent detects it on next heartbeat/startup, runs full guided activation, sends notifications + config review to user, sets up crons, confirms operational, deletes marker. No terminal watching required.

v1.4.0 | 2026-02-19T10:21:37.954Z | user

v1.4.0: Proper onboarding UX. --status shows what's running vs not (scanner, export, daily digest, dashboard server). --setup-crons auto-installs missing cron jobs. Full setup checklist sent to user on first install. Agent instructions explicit: run, send notification, set up crons, confirm operational.

v1.3.0 | 2026-02-19T10:20:46.538Z | user

v1.3.0: Proper onboarding UX. --status shows what's running vs not (scanner, export, daily digest, dashboard server). --setup-crons auto-installs missing cron jobs. Full setup checklist sent to user on first install. Agent instructions explicit: run, send notification, set up crons, confirm operational.

v1.2.0 | 2026-02-19T10:17:24.425Z | user

v1.2.0: Fixed onboarding UX — agent now actively sends activation notification to user's channel on first load (not just stdout). Added --config-review guided walkthrough. SKILL.md now has imperative first-load trigger at top.

v1.1.0 | 2026-02-19T10:12:04.956Z | user

v1.1.0: Added onboarding system — onboard.py auto-generates GUARDIAN.md (agent briefing) and sends activation notification to admin. New standalone guardian.html dashboard. GUARDIAN.md template with trust model, BLOCK/WARN/PASS rules, and response templates.

v1.0.1 | 2026-02-19T09:54:53.080Z | user

Fix: removed internal marketing assets from release; fix install.sh PYTHONPATH for fresh installs; clean file structure

v1.0.0 | 2026-02-19T09:41:34.411Z | user

Initial release — real-time prompt injection detection, data exfiltration prevention, tool abuse monitoring, admin controls, 22 tests, MIT licensed

Archive index:

Archive v2.2.0: 43 files, 100835 bytes

Files: _meta.json (127b), billing/init.py (768b), billing/billing_endpoints.py (13324b), billing/stripe_integration.py (44944b), config.json (3623b), core/init.py (157b), core/api.py (3236b), core/cache.py (5281b), core/guardian_db.py (29558b), core/realtime.py (5474b), core/scanner.py (11001b), core/settings.py (6828b), definitions/exfil-patterns.json (9354b), definitions/injection-sigs.json (12337b), definitions/manifest.json (622b), definitions/openclaw-hardening.json (2842b), definitions/social-engineering.json (8343b), definitions/tool-abuse.json (4895b), definitions/update.py (12147b), guardian/init.py (152b), guardian/capability.py (15126b), guardian/integrations/init.py (184b), guardian/integrations/langchain.py (154b), guardian/integrations/webhook.py (125b), install.sh (2651b), integrations/init.py (47b), integrations/langchain.py (1881b), integrations/webhook.py (1259b), pyproject.toml (598b), quickstart.py (2006b), README.md (2367b), scripts/init.py (35b), scripts/admin.py (23011b), scripts/check_updates.py (3077b), scripts/daily_digest.py (2386b), scripts/dashboard_export.py (7806b), scripts/guardian.py (19503b), scripts/onboard.py (43408b), scripts/primary_notify_local.py (815b), scripts/serve.py (34469b), scripts/telegram_notify.py (7908b), SECURITY.md (1417b), SKILL.md (4683b)

File v2.2.0:SKILL.md

---

name: clawguardian description: Local-first security scanner for OpenClaw agents. Detects prompt injection, exfiltration patterns, tool abuse, and social engineering using bundled signatures. version: 2.2.0 metadata: openclaw: requires: bins: - python3 env: - GUARDIAN_WORKSPACE - GUARDIAN_CONFIG - OPENCLAW_WORKSPACE - OPENCLAW_CONFIG_PATH permissions: - read_workspace - write_workspace - shell_optional - network_optional

Guardian

Security scanner for OpenClaw agents. Detects prompt injection, credential exfiltration attempts, tool abuse patterns, and social engineering attacks using regex-based signature matching.

Guardian provides two scanning modes:

• Real-time pre-scan — checks each incoming message before it reaches the model
• Batch scan — periodic sweep of workspace files and conversation logs

All data stays local. This release removes optional webhook/API networking paths to reduce moderation risk. Cron setup remains optional via scripts/onboard.py --setup-crons.

Scan results are stored in a SQLite database (guardian.db).

Installation

cd ~/.openclaw/skills/guardian
./install.sh

Install mechanism and review

This package includes executable scripts (including install.sh) and Python modules. Review install.sh before running in production. install.sh performs local setup/validation; optional helper onboard.py is opt-in for cron setup.

Onboarding checklist

1. Optional: python3 scripts/onboard.py --setup-crons (scanner/report/digest crons)
2. python3 scripts/admin.py status (confirm running)
3. python3 scripts/admin.py threats (confirm signatures loaded; should show 0/blocked)
4. Optional: review config.json scan_paths and threshold for your environment

First-load / self-activation

After install.sh completes, it writes .guardian-activate-pending to the workspace root (~/.openclaw/workspace/.guardian-activate-pending). When OpenClaw detects this marker on next load, it triggers onboard.py automatically for the self-activation flow. The marker is removed once onboard.py has run. If you prefer manual onboarding, simply delete the marker before reloading (rm ~/.openclaw/workspace/.guardian-activate-pending).

Scan scope and privacy

Guardian scans configured workspace paths to detect threats. Depending on scan_paths, this can include other skill/config files in your OpenClaw workspace. If you handle sensitive files, set narrow scan_paths in config.json.

Quick Start

# Check status
python3 scripts/admin.py status

# Scan recent threats
python3 scripts/guardian.py --report --hours 24

# Full report
python3 scripts/admin.py report

Admin Commands

python3 scripts/admin.py status          # Current status
python3 scripts/admin.py enable          # Enable scanning
python3 scripts/admin.py disable         # Disable scanning
python3 scripts/admin.py threats         # List detected threats
python3 scripts/admin.py threats --clear # Clear threat log
python3 scripts/admin.py dismiss INJ-004 # Dismiss a signature
python3 scripts/admin.py allowlist add "safe phrase"
python3 scripts/admin.py allowlist remove "safe phrase"
python3 scripts/admin.py update-defs     # Update threat definitions

Add --json to any command for machine-readable output.

Python API

from core.realtime import RealtimeGuard

guard = RealtimeGuard()
result = guard.scan_message(user_text, channel="telegram")
if guard.should_block(result):
    return guard.format_block_response(result)

Environment variables read

• GUARDIAN_WORKSPACE (optional workspace override)
• OPENCLAW_WORKSPACE (optional fallback workspace override)
• GUARDIAN_CONFIG (optional guardian config path)
• OPENCLAW_CONFIG_PATH (optional OpenClaw config path)

Configuration

Edit config.json:

| Setting | Description | |---|---| | enabled | Master on/off switch | | severity_threshold | Blocking threshold: low / medium / high / critical | | scan_paths | Paths to scan (["auto"] for common folders) | | db_path | SQLite location ("auto" = <workspace>/guardian.db) |

How It Works

Guardian loads threat signatures from definitions/*.json files. Each signature has an ID, regex pattern, severity level, and category. Incoming text is matched against all active signatures. Matches above the configured severity threshold are blocked and logged to the database.

Signatures cover: prompt injection, credential patterns (API keys, tokens), data exfiltration attempts, tool abuse patterns, and social engineering tactics.

File v2.2.0:README.md

🛡️ Guardian — Security scanner for OpenClaw agents

Detects prompt injection, credential exfiltration, tool abuse, and social engineering in real time. Runs locally with bundled signatures.

---

Install

clawhub install guardian
cd ~/.openclaw/skills/guardian && ./install.sh

Install & safety note

This package includes executable scripts (install.sh, optional onboarding/API/webhook helpers). Review install.sh before running in production environments.

Onboarding checklist (fast)

1. Optional: python3 scripts/onboard.py --setup-crons (scanner/report/digest crons)
2. python3 scripts/admin.py status (confirm running)
3. python3 scripts/admin.py threats (confirm signatures loaded; should show 0/blocked)
4. Optional: review config.json scan paths and thresholds

Scan scope

Guardian scans configured workspace paths and may read other skill/config files under those paths for detection. Use narrow scan_paths in config.json if needed.

Quick commands

python3 scripts/admin.py status          # running?
python3 scripts/admin.py threats         # list detected threats
python3 scripts/admin.py report          # full summary
python3 scripts/admin.py update-defs     # update signatures (bundled by default)

Add --json to any command for machine-readable output.

Dashboard

cd skills/guardian/dashboard && python3 -m http.server 8091
# http://localhost:8091/guardian.html

Optional components

• Cron helper: scripts/onboard.py --setup-crons (scanner/report/digest crons)

Python API

from core.realtime import RealtimeGuard

guard = RealtimeGuard()
result = guard.scan_message("test payload", channel="telegram")
if guard.should_block(result):
    print(result.top_threat)

What it protects against

• Prompt injection / indirect injection
• Credential patterns / exfiltration attempts
• Tool abuse patterns (read → send)
• Social engineering / fake authority

How it works

• Bundled signatures in definitions/*.json (regex-based)
• Real-time pre-scan + batch scan
• Logs to SQLite (guardian.db)

Permissions (declared)

• read_workspace, write_workspace
• shell_optional (cron helper)
• network_optional (webhook/HTTP API — opt-in)

MIT License. Questions? clawhub.ai/bluemax30001/guardian

File v2.2.0:_meta.json

{ "ownerId": "kn79g86yk0svgtfdr8wkx14bf981f0s7", "slug": "guardian", "version": "2.2.0", "publishedAt": 1772219442899 }

File v2.2.0:SECURITY.md

Security Notes

What Guardian accesses

• Reads: Workspace files, conversation logs, definition files (JSON)
• Writes: guardian.db (SQLite) for scan results and threat history
• Shell: admin.py update-defs and onboard.py --setup-crons invoke subprocesses (crontab setup, signature updates). Explicit operator actions.
• Network (optional):
  • integrations/webhook.py can POST scan results to a configured URL
  • scripts/serve.py runs an HTTP API server if you start it
  • Both are disabled unless you configure/start them. Documented in SKILL.md.
• Base64: Definition files may be base64-encoded; decoded at load time to extract signature patterns.

Permissions

| Permission | Used by | Purpose | |---|---|---| | read_workspace | core/scanner.py | Read files to scan for threats | | write_workspace | core/guardian_db.py | Write scan results to SQLite | | shell_optional | scripts/onboard.py | Optional cron setup via subprocess/crontab |

No credentials required

Guardian does not need API keys, tokens, or external service credentials. All scanning is local regex matching against bundled signature definitions. Optional network features are opt-in and documented.

Outbound caution

If you enable webhook notifications, payloads may include matched evidence snippets. Review sanitization and endpoint handling before enabling in sensitive environments.

File v2.2.0:config.json

{ "enabled": true, "admin_override": false, "scan_paths": [ "auto" ], "db_path": "auto", "scan_interval_minutes": 2, "severity_threshold": "medium", "dismissed_signatures": [ "INJ-004", "INJ-015" ], "custom_definitions_dir": null, "channels": { "monitor_all": true, "exclude_channels": [] }, "alerts": { "notify_on_critical": true, "notify_on_high": false, "daily_digest": true, "daily_digest_time": "09:00", "primary_notify_command": "python3 /home/bluemax/.openclaw/workspace/skills/guardian/scripts/telegram_notify.py" }, "admin": { "bypass_token": null, "disable_until": null, "trusted_sources": [], "_trusted_sources_note": "Add your primary channel: telegram, discord, signal, slack", "require_confirmation_for_severity": [ "critical" ] }, "false_positive_suppression": { "min_context_words": 3, "suppress_assistant_number_matches": true, "allowlist_patterns": [ "WORKFLOW_AUTO\.md", "(?i)openclaw\s+(internal|system|post-compaction|audit)", "(?i)post-compaction\s+(audit|restore|protocol)", "(?i)system\s+(reminder|protocol|message).(?:read|follow|check).(?:SOUL\.md|USER\.md|MEMORY\.md|WORKFLOW_AUTO\.md)" ], "_allowlist_note": "Patterns that suppress specific false positives. Use narrow, audited patterns only; broad patterns can reduce detection coverage." }, "pro_tier": { "enabled": false, "_note": "Guardian Pro tier ($9/mo). Set enabled=true and configure billing settings to activate.", "billing": { "stripe_price_id": "", "_stripe_price_id_note": "Stripe Price ID for the $9/mo Guardian Pro plan (e.g. price_1ABC...)", "billing_db_path": "auto", "_billing_db_path_note": "Path to billing SQLite cache. 'auto' uses <skill_root>/billing.db", "webhook_endpoint": "/billing/webhook", "_webhook_note": "Register this path in your Stripe dashboard as the webhook endpoint" }, "features": { "premium_signatures": true, "_premium_signatures_note": "Pro users receive extended threat signature packs updated in real-time", "extended_analytics": true, "_extended_analytics_note": "30-day trend charts, category breakdowns, and export to CSV", "priority_support": true, "api_rate_limit_5x": true, "_api_rate_limit_note": "Pro tier gets 5x API rate limit (500 req/min vs 100 for free)", "export_csv": true, "custom_alert_rules": true, "_custom_alert_rules_note": "Create per-signature or per-channel alert rules with custom thresholds" }, "signature_delivery": { "premium_definition_packs": [ "advanced-injection-v2.json", "llm-jailbreaks.json", "supply-chain-attacks.json", "insider-threat-indicators.json" ], "_premium_packs_note": "Definition packs only served to verified Pro subscribers", "update_channel": "pro", "_update_channel_note": "pro | stable | canary — Pro subscribers receive updates before stable" }, "access_control": { "gating_mode": "soft", "_gating_mode_note": "soft: serve free tier on auth failure | hard: block entirely on auth failure", "grace_period_hours": 72, "_grace_period_note": "Hours of Pro access after payment failure before downgrading to free", "user_id_header": "X-Guardian-User-Id", "_user_id_header_note": "HTTP header used to identify the user for subscription lookup" } }, "_comment": "Guardian Security Skill — Configuration. See README.md and BILLING.md for details." }

File v2.2.0:definitions/exfil-patterns.json

{ "category": "data_exfiltration", "version": "1.0.0", "updated": "2026-02-21", "signatures": [ { "id": "EXF-001", "severity": "critical", "score": 95, "description": "AWS Access Key", "pattern": "AKIA[0-9A-Z]{16}", "flags": "" }, { "id": "EXF-002", "severity": "critical", "score": 95, "description": "AWS Secret Key", "pattern": "(?i)aws_secret_access_key\s*[=:]\s*[A-Za-z0-9/+=]{40}", "flags": "" }, { "id": "EXF-003", "severity": "critical", "score": 95, "description": "OpenAI API Key", "pattern": "sk-[A-Za-z0-9]{20,}", "flags": "" }, { "id": "EXF-004", "severity": "critical", "score": 95, "description": "Anthropic API Key", "pattern": "sk-ant-[A-Za-z0-9-]{20,}", "flags": "" }, { "id": "EXF-005", "severity": "critical", "score": 93, "description": "GCP API Key", "pattern": "AIza[0-9A-Za-z_-]{35}", "flags": "" }, { "id": "EXF-006", "severity": "critical", "score": 93, "description": "GitHub Token", "pattern": "gh[pousr][A-Za-z0-9]{36,}", "flags": "" }, { "id": "EXF-007", "severity": "critical", "score": 90, "description": "Generic Bearer Token", "pattern": "(?i)bearer\s+[A-Za-z0-9.-]{20,}", "flags": "" }, { "id": "EXF-008", "severity": "critical", "score": 95, "description": "Australian TFN (Tax File Number)", "pattern": "(?i)(?:tfn|tax\sfile\snumber)[\s:()]?(?:is|number)?[\s:()]\d{3}[\s-]?\d{3}[\s-]?\d{3}", "flags": "", "name": "Australian TFN (with context)" }, { "id": "EXF-009", "severity": "critical", "score": 92, "description": "Australian Medicare Number", "pattern": "(?i)(?:bsb)\s*:?\s*\d{3}[\s-]?\d{3}(?:\s+\w+){0,2}?\s+\d{6,10}", "flags": "", "name": "BSB + Account (with context)" }, { "id": "EXF-010", "severity": "high", "score": 85, "description": "Australian ABN", "pattern": "\bABN\s*:?\s*\d{2}\s?\d{3}\s?\d{3}\s?\d{3}\b", "flags": "i" }, { "id": "EXF-011", "severity": "high", "score": 85, "description": "Australian BSB + Account (with context)", "pattern": "(?i)(?:bsb|account|banking|transfer|payment|balance)[\s:](?:number|is|to)?[\s:](?:\d{3}[\s-]?\d{3})(?:\s+\w+){0,2}?\s+\d{6,10}", "flags": "", "name": "BSB + Account (requires financial context)" }, { "id": "EXF-012", "severity": "critical", "score": 95, "description": "Credit Card (Visa)", "pattern": "(?i)(?:card|visa|credit|payment)\s*:?\s4\d{3}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}", "flags": "", "name": "Visa Card Number (with context)" }, { "id": "EXF-013", "severity": "critical", "score": 95, "description": "Credit Card (Mastercard)", "pattern": "(?i)(?:card|master|credit|payment)\s:?\s5[1-5]\d{2}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}", "flags": "", "name": "Mastercard Number (with context)" }, { "id": "EXF-014", "severity": "critical", "score": 95, "description": "Credit Card (Amex)", "pattern": "\b3[47]\d{2}[\s-]?\d{6}[\s-]?\d{5}\b", "flags": "" }, { "id": "EXF-015", "severity": "high", "score": 85, "description": "Password in plaintext", "pattern": "(?i)(password|passwd|pwd)\s[=:]\s*\S{4,}", "flags": "" }, { "id": "EXF-016", "severity": "high", "score": 82, "description": "Credential mention", "pattern": "(?i)(my\s+password\s+is|credentials\s+are|login\s+details)\s*:?\s*\S+", "flags": "" }, { "id": "EXF-017", "severity": "high", "score": 80, "description": "Private key header", "pattern": "-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----", "flags": "" }, { "id": "EXF-018", "severity": "high", "score": 80, "description": "SSH private key", "pattern": "-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----", "flags": "" }, { "id": "EXF-019", "severity": "high", "score": 78, "description": "Webhook URL with token", "pattern": "https?://[^\s]*webhook[^\s]*token[=][^\s]+", "flags": "i" }, { "id": "EXF-020", "severity": "high", "score": 82, "description": "Discord webhook URL", "pattern": "https://discord\.com/api/webhooks/\d+/[A-Za-z0-9-]+", "flags": "" }, { "id": "EXF-021", "severity": "high", "score": 80, "description": "Slack webhook URL", "pattern": "https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+", "flags": "" }, { "id": "EXF-022", "severity": "medium", "score": 70, "description": "External URL data send", "pattern": "(?i)(send|post|upload|exfiltrate|transmit)\s+(to|data\s+to|this\s+to)\s+https?://", "flags": "" }, { "id": "EXF-023", "severity": "high", "score": 82, "description": "Database connection string", "pattern": "(?i)(mongodb|postgres|mysql|redis)://[^\s]+:[^\s]+@", "flags": "" }, { "id": "EXF-024", "severity": "high", "score": 78, "description": "JWT token", "pattern": "eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+", "flags": "" }, { "id": "EXF-025", "severity": "medium", "score": 68, "description": "Email + password combo", "pattern": "[a-zA-Z0-9.%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\s*[:/]\s*\S{6,}", "flags": "" }, { "id": "EXF-026", "severity": "high", "score": 80, "description": "Stripe API Key", "pattern": "sk_live[A-Za-z0-9]{24,}", "flags": "" }, { "id": "EXF-027", "severity": "high", "score": 80, "description": "Twilio credentials", "pattern": "(?i)twilio.(?:token|sid)\s[=:]\s*[A-Za-z0-9]{32}", "flags": "" }, { "id": "EXF-028", "severity": "high", "score": 78, "description": "SendGrid API Key", "pattern": "SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}", "flags": "" }, { "id": "EXF-029", "severity": "medium", "score": 65, "description": "Australian Drivers License", "pattern": "(?i)(driver'?s?\s+licen[cs]e|DL)\s*:?\s*\d{6,10}", "flags": "" }, { "id": "EXF-030", "severity": "high", "score": 80, "description": "Google OAuth token", "pattern": "ya29\.[A-Za-z0-9_-]{50,}", "flags": "" }, { "id": "EXF-031", "severity": "medium", "score": 70, "description": "Encode and send pattern", "pattern": "(?i)(base64|encode).send\s+(to|via)\s+", "flags": "" }, { "id": "EXF-032", "severity": "high", "score": 82, "description": "Azure connection string", "pattern": "(?i)DefaultEndpointsProtocol=https?;AccountName=[^;]+;AccountKey=[^;]+", "flags": "" }, { "id": "EXF-033", "severity": "high", "score": 85, "description": "Infostealer targeting OpenClaw config files (Vidar variant)", "pattern": "(?i)(openclaw\.json|device\.json|gateway[\s]?token|soul\.md)", "flags": "", "name": "OpenClaw config file exfiltration", "source": "Hudson Rock / The Hacker News 2026-02-20", "category": "exfiltration" }, { "id": "EXF-034", "severity": "critical", "score": 95, "description": "Telethon session string (long base64 exported session)", "pattern": "\b1BQA[A-Za-z0-9+/=-]{50,}", "flags": "", "name": "Telethon session string", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "session-hijack"] }, { "id": "EXF-035", "severity": "critical", "score": 93, "description": "Pyrogram session string (long base64 exported session)", "pattern": "\bBQA[A-Za-z0-9+/=-]{60,}", "flags": "", "name": "Pyrogram session string", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "session-hijack"] }, { "id": "EXF-036", "severity": "critical", "score": 95, "description": "Telegram bot token (numeric ID colon hash)", "pattern": "\b\d{8,12}:[A-Za-z0-9-]{35,}\b", "flags": "", "name": "Telegram bot token", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "bot-token"] }, { "id": "EXF-037", "severity": "high", "score": 88, "description": "Telegram API hash credential (api_hash = 32-hex string)", "pattern": "(?i)api[_\s]?hash\s[=:]\s*[a-fA-F0-9]{32}", "flags": "", "name": "Telegram api_hash credential", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "api-credentials"] } ] }

File v2.2.0:definitions/injection-sigs.json

{ "category": "prompt_injection", "version": "1.0.0", "updated": "2026-02-21", "signatures": [ { "id": "INJ-001", "severity": "critical", "score": 95, "description": "System prompt override with [SYSTEM]:", "pattern": "(?i)(?<!\[)(?:Human|Assistant)\s*:\s*(?:ignore|forget|disregard|override)", "flags": "i", "name": "Role impersonation with override" }, { "id": "INJ-002", "severity": "critical", "score": 95, "description": "System prompt override with <<SYS>>", "pattern": "<<SYS>>", "flags": "i" }, { "id": "INJ-003", "severity": "critical", "score": 90, "description": "Triple-backtick system block", "pattern": "system\\b", "flags": "i" }, { "id": "INJ-004", "severity": "critical", "score": 92, "description": "Ignore previous instructions", "pattern": "ignore\\s+(all\\s+)?previous\\s+instructions", "flags": "i" }, { "id": "INJ-005", "severity": "critical", "score": 90, "description": "Forget your rules", "pattern": "forget\\s+(all\\s+)?(your|the)\\s+(rules|instructions|guidelines|constraints)", "flags": "i" }, { "id": "INJ-006", "severity": "critical", "score": 92, "description": "You are now a different AI", "pattern": "you\\s+are\\s+now\\s+(a|an|the)\\s+", "flags": "i" }, { "id": "INJ-007", "severity": "high", "score": 85, "description": "Disregard previous directives", "pattern": "disregard\\s+(all\\s+)?(previous|prior|above|earlier)\\s+(directives|instructions|prompts|rules)", "flags": "i" }, { "id": "INJ-008", "severity": "critical", "score": 95, "description": "DAN mode jailbreak", "pattern": "\\bDAN\\s+mode\\b", "flags": "i" }, { "id": "INJ-009", "severity": "critical", "score": 93, "description": "Developer mode enable", "pattern": "\\bdeveloper\\s+mode\\s*(enabled|on|activate)", "flags": "i" }, { "id": "INJ-010", "severity": "high", "score": 88, "description": "No restrictions directive", "pattern": "\\b(without|no|remove|disable)\\s+(any\\s+)?(restrictions|limitations|filters|guardrails|safety)", "flags": "i" }, { "id": "INJ-011", "severity": "high", "score": 85, "description": "Override safety measures", "pattern": "override\\s+(your\\s+)?(safety|security|content)\\s+(measures|filters|policies)", "flags": "i" }, { "id": "INJ-012", "severity": "high", "score": 80, "description": "Pretend you can do anything", "pattern": "pretend\\s+(that\\s+)?(you|u)\\s+(can|are\\s+able\\s+to|have\\s+no)", "flags": "i" }, { "id": "INJ-013", "severity": "high", "score": 82, "description": "Act as if you have no rules", "pattern": "act\\s+(as\\s+if|like)\\s+(you\\s+)?(have\\s+no|there\\s+are\\s+no)\\s+(rules|restrictions)", "flags": "i" }, { "id": "INJ-014", "severity": "critical", "score": 90, "description": "New system prompt injection", "pattern": "new\\s+system\\s+prompt\\s*:", "flags": "i" }, { "id": "INJ-015", "severity": "high", "score": 85, "description": "Reveal your system prompt", "pattern": "(reveal|show|display|print|output|tell\\s+me)\\s+(your\\s+)?(system\\s+prompt|initial\\s+instructions|hidden\\s+instructions)", "flags": "i" }, { "id": "INJ-016", "severity": "high", "score": 82, "description": "What are your instructions", "pattern": "what\\s+are\\s+your\\s+(instructions|rules|guidelines|system\\s+prompt)", "flags": "i" }, { "id": "INJ-017", "severity": "medium", "score": 70, "description": "Repeat everything above", "pattern": "repeat\\s+(everything|all|the\\s+text)\\s+(above|before\\s+this)", "flags": "i" }, { "id": "INJ-018", "severity": "high", "score": 85, "description": "Base64 encoded instruction injection", "pattern": "base64[:\\s]+(decode|eval|execute)\\b", "flags": "i" }, { "id": "INJ-019", "severity": "high", "score": 80, "description": "Unicode/encoding obfuscation attempt", "pattern": "\\\\u[0-9a-fA-F]{4}.*\\\\u[0-9a-fA-F]{4}.*\\\\u[0-9a-fA-F]{4}", "flags": "" }, { "id": "INJ-020", "severity": "critical", "score": 90, "description": "Jailbreak prompt keyword", "pattern": "\\b(jailbreak|jail\\s*break)\\s*(prompt|mode|this)", "flags": "i" }, { "id": "INJ-021", "severity": "high", "score": 83, "description": "Roleplay as unrestricted AI", "pattern": "roleplay\\s+(as|being)\\s+(an?\\s+)?(unrestricted|unfiltered|uncensored)", "flags": "i" }, { "id": "INJ-022", "severity": "high", "score": 85, "description": "Ignore content policy", "pattern": "ignore\\s+(the\\s+)?(content\\s+policy|usage\\s+policy|terms\\s+of\\s+service|ethical\\s+guidelines)", "flags": "i" }, { "id": "INJ-023", "severity": "medium", "score": 75, "description": "Hidden text in markdown", "pattern": "<!--\\s*(?:ignore|override|inject|bypass|jailbreak|system\\s*prompt)[^>]*-->", "flags": "is" }, { "id": "INJ-024", "severity": "high", "score": 80, "description": "Prompt leaking via completion", "pattern": "complete\\s+the\\s+following\\s*:.*\\[INST\\]", "flags": "i" }, { "id": "INJ-025", "severity": "critical", "score": 92, "description": "INST tag injection", "pattern": "\\[/?INST\\]", "flags": "" }, { "id": "INJ-026", "severity": "high", "score": 85, "description": "From now on respond without", "pattern": "from\\s+now\\s+on\\s+(respond|answer|reply)\\s+(without|with\\s+no)", "flags": "i" }, { "id": "INJ-027", "severity": "medium", "score": 72, "description": "Hypothetical scenario bypass", "pattern": "(hypothetically|in\\s+a\\s+hypothetical|for\\s+a\\s+fictional)\\s+.*\\b(how\\s+to|explain|tell)", "flags": "i" }, { "id": "INJ-028", "severity": "high", "score": 80, "description": "Do anything now", "pattern": "\\bdo\\s+anything\\s+now\\b", "flags": "i" }, { "id": "INJ-029", "severity": "high", "score": 83, "description": "Stop being an AI", "pattern": "stop\\s+being\\s+(an?\\s+)?AI", "flags": "i" }, { "id": "INJ-030", "severity": "medium", "score": 70, "description": "Translate to bypass filters", "pattern": "translate\\s+to\\s+.{2,20}\\s*:.*(?:kill|hack|bomb|weapon)", "flags": "i" }, { "id": "INJ-031", "severity": "high", "score": 85, "description": "System message XML injection", "pattern": "<\\|?(system|im_start|im_end)\\|?>", "flags": "i" }, { "id": "INJ-033", "severity": "medium", "score": 68, "description": "Encoded payload marker", "pattern": "\\b(eval|exec|decode)\\s*\\(\\s*['\"]", "flags": "i" }, { "id": "INJ-034", "severity": "high", "score": 80, "description": "Persona switch attempt", "pattern": "switch\\s+(to|into)\\s+(persona|character|mode|role)\\s*:", "flags": "i" }, { "id": "INJ-035", "severity": "high", "score": 82, "description": "Bypass content filter", "pattern": "bypass\\s+(the\\s+)?(content|safety|output)\\s+(filter|check|restriction)", "flags": "i" }, { "id": "INJ-036", "severity": "medium", "score": 72, "description": "Opposite day technique", "pattern": "(opposite\\s+day|opposite\\s+mode|reversed\\s+rules)", "flags": "i" }, { "id": "INJ-037", "severity": "high", "score": 85, "description": "Token smuggling delimiters", "pattern": "\\|\\|\\|.*SYSTEM.*\\|\\|\\|", "flags": "i" }, { "id": "INJ-038", "severity": "medium", "score": 70, "description": "Grandmother exploit", "pattern": "my\\s+(dead\\s+)?grandmother\\s+(used\\s+to|would)", "flags": "i" }, { "id": "INJ-039", "severity": "high", "score": 80, "description": "Multi-language injection evasion", "pattern": "en\\s+espa\u00f1ol\\s*:.*ignor", "flags": "i" }, { "id": "INJ-040", "severity": "critical", "score": 90, "description": "Prompt injection research payload", "pattern": "pwned|PWNED|p]w]n]e]d", "flags": "" }, { "id": "INJ-041", "severity": "high", "score": 78, "description": "Markdown image injection", "pattern": "!\\[.*\\]\\(https?://.*\\?.*prompt", "flags": "i" }, { "id": "INJ-042", "severity": "high", "score": 82, "description": "Instruction in code block", "pattern": "\s*(ignore|override|system|new instructions)", "flags": "i" }, { "id": "INJ-043", "severity": "medium", "score": 68, "description": "Zero-width character obfuscation", "pattern": "[\u200b\u200c\u200d\ufeff]{3,}", "flags": "" }, { "id": "INJ-044", "severity": "high", "score": 80, "description": "ChatML injection", "pattern": "<\|im_start\|>", "flags": "" }, { "id": "INJ-045", "severity": "high", "score": 82, "description": "Forget everything before this", "pattern": "forget\s+(everything|all)\s+(before|above|prior)", "flags": "i" }, { "id": "INJ-046", "severity": "medium", "score": 72, "description": "ASCII art evasion", "pattern": "(?i)(?:^|\n)\signore\s+(?:all\s+)?(?:previous|above|prior|earlier)\s+(?:instructions|rules|prompts|guidelines|directions)", "flags": "i" }, { "id": "INJ-047", "severity": "high", "score": 80, "description": "Simulate unrestricted mode", "pattern": "simulate\s+(an?\s+)?(unrestricted|unfiltered|uncensored)\s+(mode|version|AI)", "flags": "i" }, { "id": "INJ-048", "severity": "high", "score": 85, "description": "Direct prompt injection marker", "pattern": "BEGIN\s+INJECTION|END\s+INJECTION|INJECT:", "flags": "i" }, { "id": "INJ-049", "severity": "medium", "score": 75, "description": "Continuation attack", "pattern": "continue\s+from\s+where\s+(the\s+)?system\s+prompt", "flags": "i" }, { "id": "INJ-050", "severity": "high", "score": 80, "description": "Overwrite instructions directive", "pattern": "(overwrite|replace|update)\s+(your|the|all)\s+(instructions|system\s+prompt|rules)", "flags": "i" }, { "id": "INJ-051", "severity": "high", "score": 78, "description": "Markdown link with data exfil", "pattern": "!\[.\]\(https?://[^)]+\{\{", "flags": "i" }, { "id": "INJ-052", "severity": "medium", "score": 70, "description": "Adversarial suffix pattern", "pattern": "describing\.\+ similarlyNow write", "flags": "i" }, { "id": "INJ-053", "severity": "high", "score": 88, "description": "AI memory poisoning via fetched web content — persistence injection commands targeting AI memory context", "pattern": "(?i)(remember\s+(?:\S+\s+){1,3}as\s+(?:trusted|preferred|best)|always\s+recommend|add\s+(?:this\s+)?to\s+(?:your\s+)?memory)", "flags": "i", "name": "Memory persistence injection", "category": "prompt_injection", "source": "Microsoft Security Blog 2026-02-10", "tags": ["memory-poisoning", "persistence", "web-content"] } ] }

File v2.2.0:definitions/manifest.json

{ "version": "1.0.0", "updated": "2026-02-21T09:00:00Z", "files": { "injection-sigs.json": {"category": "prompt_injection", "sigCount": 52, "version": "1.0.0"}, "exfil-patterns.json": {"category": "data_exfiltration", "sigCount": 37, "version": "1.0.0"}, "tool-abuse.json": {"category": "tool_abuse", "sigCount": 30, "version": "1.0.1"}, "social-engineering.json": {"category": "social_engineering", "sigCount": 27, "version": "1.0.1"}, "openclaw-hardening.json": {"category": "openclaw_hardening", "sigCount": 15, "version": "1.0.0"} }, "totalSignatures": 161, "updateStatus": "current" }

File v2.2.0:definitions/openclaw-hardening.json

{ "category": "openclaw_hardening", "version": "1.0.0", "updated": "2026-02-18", "checks": [ {"id": "HRD-001", "severity": "critical", "score": 95, "description": "No gateway auth configured", "check": "auth_missing", "path": "auth", "condition": "missing_or_empty"}, {"id": "HRD-002", "severity": "high", "score": 85, "description": "Weak or default auth token", "check": "weak_token", "path": "auth.profiles", "condition": "has_default_token"}, {"id": "HRD-003", "severity": "high", "score": 80, "description": "No rate limiting configured", "check": "rate_limit_missing", "path": "gateway.rateLimit", "condition": "missing"}, {"id": "HRD-004", "severity": "high", "score": 82, "description": "Gateway bound to 0.0.0.0", "check": "bind_all_interfaces", "path": "gateway.host", "condition": "equals_0.0.0.0"}, {"id": "HRD-005", "severity": "medium", "score": 70, "description": "No channel restrictions defined", "check": "no_channel_restrictions", "path": "channels", "condition": "missing_or_empty"}, {"id": "HRD-006", "severity": "medium", "score": 68, "description": "Missing model allowlist", "check": "no_model_allowlist", "path": "models.allowlist", "condition": "missing"}, {"id": "HRD-007", "severity": "medium", "score": 65, "description": "No IP whitelist configured", "check": "no_ip_whitelist", "path": "gateway.ipWhitelist", "condition": "missing"}, {"id": "HRD-008", "severity": "medium", "score": 72, "description": "CORS allows all origins", "check": "cors_wildcard", "path": "gateway.cors.origin", "condition": "equals_wildcard"}, {"id": "HRD-009", "severity": "low", "score": 50, "description": "Debug mode enabled", "check": "debug_enabled", "path": "debug", "condition": "truthy"}, {"id": "HRD-010", "severity": "medium", "score": 68, "description": "No TLS/HTTPS configured", "check": "no_tls", "path": "gateway.tls", "condition": "missing"}, {"id": "HRD-011", "severity": "low", "score": 55, "description": "Logging level too verbose", "check": "verbose_logging", "path": "logging.level", "condition": "equals_debug"}, {"id": "HRD-012", "severity": "medium", "score": 70, "description": "No session timeout configured", "check": "no_session_timeout", "path": "sessions.timeout", "condition": "missing"}, {"id": "HRD-013", "severity": "high", "score": 80, "description": "External tool execution unrestricted", "check": "unrestricted_tools", "path": "tools.restrictions", "condition": "missing"}, {"id": "HRD-014", "severity": "medium", "score": 65, "description": "No audit logging configured", "check": "no_audit_log", "path": "logging.audit", "condition": "missing_or_false"}, {"id": "HRD-015", "severity": "medium", "score": 60, "description": "Auto-update disabled", "check": "no_auto_update", "path": "updates.auto", "condition": "false"} ] }

File v2.2.0:definitions/social-engineering.json

{ "category": "social_engineering", "version": "1.0.0", "updated": "2026-02-21T09:00:00Z", "signatures": [ { "id": "SOC-001", "severity": "high", "score": 80, "description": "Admin impersonation", "pattern": "(?i)\b(i'?m|i\s+am)\s+(the\s+)?(admin|administrator|root\s+user|system\s+admin)", "flags": "" }, { "id": "SOC-002", "severity": "high", "score": 80, "description": "CEO/executive impersonation", "pattern": "(?i)\b(CEO|CTO|CFO)\s+(here|speaking|requesting)", "flags": "" }, { "id": "SOC-003", "severity": "medium", "score": 72, "description": "Urgency - immediately", "pattern": "(?i)\b(do\s+this\s+)?immediately\b.(send|transfer|delete|share)", "flags": "" }, { "id": "SOC-004", "severity": "medium", "score": 70, "description": "Before audit pressure", "pattern": "(?i)(before\s+the\s+audit|audit\s+starts|compliance\s+deadline)", "flags": "" }, { "id": "SOC-005", "severity": "high", "score": 82, "description": "Phishing - click this link", "pattern": "(?i)(click|open|visit)\s+(this|the)\s+(link|url|website)\s+(to|and)\s+(verify|confirm|update)", "flags": "" }, { "id": "SOC-006", "severity": "high", "score": 82, "description": "Verify your account", "pattern": "(?i)verify\s+your\s+(account|identity|credentials|login)", "flags": "" }, { "id": "SOC-007", "severity": "medium", "score": 70, "description": "Don't tell anyone", "pattern": "(?i)(don'?t|do\s+not)\s+(tell|mention|inform)\s+(anyone|the\s+team|others)", "flags": "" }, { "id": "SOC-008", "severity": "high", "score": 78, "description": "Account suspended threat", "pattern": "(?i)(account|access)\s+(will\s+be\s+|has\s+been\s+)?(suspended|locked|terminated|revoked)", "flags": "" }, { "id": "SOC-009", "severity": "medium", "score": 68, "description": "Time-limited offer pressure", "pattern": "(?i)(expires?\s+in|only\s+\d+\s+minutes?|last\s+chance|limited\s+time)", "flags": "" }, { "id": "SOC-010", "severity": "high", "score": 80, "description": "Password reset request", "pattern": "(?i)(reset|change|update)\s+(your\s+)?password\s+(now|immediately|urgently)", "flags": "" }, { "id": "SOC-011", "severity": "medium", "score": 72, "description": "Authority override request", "pattern": "(?i)(as\s+your\s+(boss|manager|supervisor)|on\s+behalf\s+of\s+management)", "flags": "" }, { "id": "SOC-012", "severity": "high", "score": 78, "description": "Wire transfer request", "pattern": "(?i)(wire|transfer|send)\s+\$?\d+.\b(to|into)\s+(this\s+)?account", "flags": "" }, { "id": "SOC-013", "severity": "medium", "score": 70, "description": "Confidential bypass", "pattern": "(?i)this\s+is\s+(confidential|classified|top\s+secret).*bypass", "flags": "" }, { "id": "SOC-014", "severity": "medium", "score": 65, "description": "IT support impersonation", "pattern": "(?i)(IT\s+(support|department|team)|tech\s+support)\s+(here|needs|requires)", "flags": "" }, { "id": "SOC-015", "severity": "medium", "score": 68, "description": "Emergency override", "pattern": "(?i)(emergency|critical\s+situation).override\s+(the\s+)?(normal|standard|usual)", "flags": "" }, { "id": "SOC-016", "severity": "medium", "score": 65, "description": "Security test pretense", "pattern": "(?i)(this\s+is\s+a\s+security\s+test|testing\s+security|authorized\s+pen\stest)", "flags": "" }, { "id": "SOC-017", "severity": "high", "score": 75, "description": "Quid pro quo offer", "pattern": "(?i)(if\s+you\s+(do|help).i'?ll\s+(give|reward|pay|promote))", "flags": "" }, { "id": "SOC-018", "severity": "medium", "score": 68, "description": "Sympathy manipulation", "pattern": "(?i)(please\s+help.\b(dying|sick|emergency|hospital)|my\s+(child|mother|father)\s+is)", "flags": "" }, { "id": "SOC-019", "severity": "medium", "score": 65, "description": "Fake deadline", "pattern": "(?i)(must\s+be\s+done\s+by|deadline\s+is|due\s+in\s+\d+\s+minutes?)", "flags": "" }, { "id": "SOC-020", "severity": "high", "score": 78, "description": "Data sharing under pretense", "pattern": "(?i)(share|send|forward)\s+(all|the|your)\s+(files|data|documents|database)\s+(to|with)\s+(me|this\s+email)", "flags": "" }, { "id": "SOC-021", "severity": "high", "score": 82, "description": "QR code scan social engineering \u2014 Telegram OAuth abuse vector", "pattern": "(?i)(scan|open)\s+(?:\w+\s+){0,2}(qr(?:[\s-]?code?)?).{0,50}(telegram|login|verify|authoriz|confirm)", "flags": "", "source": "CYFIRMA 2026-02-07", "tags": [ "telegram", "oauth", "qr-login" ] }, { "id": "SOC-022", "severity": "high", "score": 82, "description": "Authorization prompt approval manipulation \u2014 Telegram session hijack", "pattern": "(?i)(approve|accept|confirm|allow|tap)\s+(the\s+)?(authorization|login\s+request|access\s+request|signin|sign.in)\s+(prompt|request|from|on)", "flags": "", "source": "CYFIRMA 2026-02-07", "tags": [ "telegram", "oauth", "session-hijack" ] }, { "id": "SOC-023", "severity": "high", "score": 80, "description": "Telegram support/security impersonation", "pattern": "(?i)(telegram\s+(support|security\s+team|official|admin|help\s+desk)|official\s+telegram\s+(team|message|notice))", "flags": "", "tags": [ "telegram", "impersonation" ] }, { "id": "SOC-024", "severity": "high", "score": 80, "description": "Confirm login on device \u2014 Telegram QR/OAuth prompt lure", "pattern": "(?i)(confirm|approve|tap\s+confirm).{0,30}(login|sign.?in|access).{0,30}(your\s+)?(phone|device|mobile|app|telegram)", "flags": "", "tags": [ "telegram", "oauth", "session-hijack" ] }, { "id": "SOC-025", "severity": "high", "score": 84, "description": "Request to share Telegram session string or login token", "pattern": "(?i)(send|share|paste|provide|give)\s+(me\s+)?(?:your\s+)?(session[\s]string|login[\s]token|auth[_\s]token|session\s+code).{0,30}(telegram|tg|bot)", "flags": "", "tags": [ "telegram", "session-hijack", "exfiltration" ] }, { "id": "SOC-026", "severity": "medium", "score": 74, "description": "Telegram new device/session login alert lure", "pattern": "(?i)(new\s+(device|session|login).{0,30}(detected|added|authorized|telegram)|(your\s+)?telegram\s+(account|session).{0,30}(logged\s+in|authorized|new\s+device))", "flags": "", "tags": [ "telegram", "phishing", "session-hijack" ] }, { "id": "SOC-027", "severity": "high", "score": 88, "description": "AI-generated synthetic identity or deepfake persona used to establish trust before credential request", "pattern": "(?i)(i\s+am\s+(an?\s+)?(ai|artificial\s+intelligence|virtual\s+assistant|digital\s+twin).{0,60}(verify|confirm|authenticate|send|provide|share).{0,40}(code|password|pin|token|credential|otp|mfa|2fa)|(deepfake|synthetic|generated|cloned).{0,30}(voice|video|identity|persona).{0,40}(trust|verify|confirm|authenticate))", "flags": "", "tags": [ "ai-lure", "synthetic-identity", "deepfake", "credential-theft", "emerging-threat" ] } ] }

File v2.2.0:definitions/tool-abuse.json

{ "category": "tool_abuse", "version": "1.0.0", "updated": "2026-02-18", "signatures": [ {"id": "TAB-001", "severity": "critical", "score": 95, "description": "Recursive force delete", "pattern": "\brm\s+-rf\s+/", "flags": ""}, {"id": "TAB-002", "severity": "critical", "score": 90, "description": "Chmod world-writable", "pattern": "\bchmod\s+777\b", "flags": ""}, {"id": "TAB-003", "severity": "critical", "score": 95, "description": "Curl pipe to bash", "pattern": "curl\s+[^|]\|\s(ba)?sh", "flags": ""}, {"id": "TAB-004", "severity": "critical", "score": 95, "description": "Wget pipe to shell", "pattern": "wget\s+[^|]\|\s(ba)?sh", "flags": ""}, {"id": "TAB-005", "severity": "critical", "score": 92, "description": "Read shadow file", "pattern": "cat\s+/etc/shadow", "flags": ""}, {"id": "TAB-006", "severity": "high", "score": 85, "description": "Env grep for keys/secrets", "pattern": "\benv\b.\|.grep.(KEY|SECRET|TOKEN|PASS|CRED)", "flags": "i"}, {"id": "TAB-007", "severity": "high", "score": 82, "description": "Read passwd file", "pattern": "cat\s+/etc/passwd", "flags": ""}, {"id": "TAB-008", "severity": "high", "score": 85, "description": "Nmap network scan", "pattern": "\bnmap\s+", "flags": ""}, {"id": "TAB-009", "severity": "medium", "score": 70, "description": "Netstat connection listing", "pattern": "\bnetstat\s+-[atnlp]", "flags": ""}, {"id": "TAB-010", "severity": "high", "score": 80, "description": "Mass file deletion", "pattern": "\bfind\s+/\s+.-delete\b", "flags": ""}, {"id": "TAB-011", "severity": "critical", "score": 92, "description": "Sudo privilege escalation", "pattern": "\bsudo\s+(su|bash|sh|chmod|chown|passwd)", "flags": ""}, {"id": "TAB-012", "severity": "high", "score": 85, "description": "Reverse shell", "pattern": "\bbash\s+-i\s+>\s*&\s*/dev/tcp/", "flags": ""}, {"id": "TAB-013", "severity": "high", "score": 85, "description": "Netcat listener", "pattern": "\bnc\s+-[ln].-[ep]\s", "flags": ""}, {"id": "TAB-014", "severity": "high", "score": 80, "description": "Python reverse shell", "pattern": "python.socket.connect.exec", "flags": "i"}, {"id": "TAB-015", "severity": "critical", "score": 90, "description": "Format disk", "pattern": "\bmkfs\s+/dev/", "flags": ""}, {"id": "TAB-016", "severity": "critical", "score": 92, "description": "DD disk overwrite", "pattern": "\bdd\s+if=.of=/dev/", "flags": ""}, {"id": "TAB-017", "severity": "high", "score": 82, "description": "Kill all processes", "pattern": "\bkillall\s+-9\b|\bkill\s+-9\s+-1\b", "flags": ""}, {"id": "TAB-018", "severity": "high", "score": 78, "description": "Crontab modification", "pattern": "\bcrontab\s+-[er]\b", "flags": ""}, {"id": "TAB-019", "severity": "medium", "score": 72, "description": "SSH key operations", "pattern": "\bssh-keygen\b.|cat.\.ssh/(id_rsa|authorized_keys)", "flags": ""}, {"id": "TAB-020", "severity": "high", "score": 80, "description": "Download and execute", "pattern": "\bwget\s+.&&.\bchmod\s+\+x\b", "flags": ""}, {"id": "TAB-021", "severity": "high", "score": 78, "description": "Mass file permission change", "pattern": "\bchmod\s+-R\s+[0-7]{3}\s+/", "flags": ""}, {"id": "TAB-022", "severity": "high", "score": 80, "description": "IPtables flush", "pattern": "\biptables\s+-F\b", "flags": ""}, {"id": "TAB-023", "severity": "medium", "score": 68, "description": "Port scanning", "pattern": "\b(nmap|masscan|zmap)\s+", "flags": ""}, {"id": "TAB-024", "severity": "high", "score": 82, "description": "Fork bomb", "pattern": ":\(\)\{\s:\|:&\s*\}", "flags": ""}, {"id": "TAB-025", "severity": "high", "score": 80, "description": "Credential file access", "pattern": "cat\s+.(credentials|secrets|tokens|passwords|\.(env|npmrc|netrc))", "flags": "i"}, {"id": "TAB-026", "severity": "medium", "score": 70, "description": "History file access", "pattern": "cat\s+.\.(bash_history|zsh_history|history)", "flags": ""}, {"id": "TAB-027", "severity": "high", "score": 78, "description": "Systemctl stop/disable", "pattern": "\bsystemctl\s+(stop|disable)\s+(firewalld|ufw|iptables)", "flags": ""}, {"id": "TAB-028", "severity": "critical", "score": 93, "description": "ToxicSkills: base64 shell decode (obfuscated payload in skill content)", "pattern": "base64\s+(-d|--decode)", "flags": "i"}, {"id": "TAB-029", "severity": "critical", "score": 95, "description": "ToxicSkills: JavaScript eval(atob()) obfuscated execution in skill content", "pattern": "eval\s*\(.atob", "flags": "i"}, {"id": "TAB-030", "severity": "critical", "score": 93, "description": "ToxicSkills: curl with silent flags piped to bash (obfuscated download-and-execute)", "pattern": "curl\s+-[sSlL][sS][sSlL]\s+.\|\s*bash", "flags": "i"} ] }

File v2.2.0:pyproject.toml

[build-system] requires = ["setuptools>=68"] build-backend = "setuptools.build_meta"

[project] name = "guardian-ai" version = "2.1.0" description = "Standalone AI security engine for prompt injection and tool abuse defense" readme = "README.md" requires-python = ">=3.8" license = {text = "MIT"} authors = [{name = "Guardian Contributors"}] dependencies = []

[project.scripts] guardian-scan = "scripts.guardian:main" guardian-serve = "scripts.serve:main" guardian-admin = "scripts.admin:main"

[tool.setuptools] packages = ["guardian", "guardian.integrations", "core", "integrations", "scripts"]

Archive v2.1.0: 43 files, 100835 bytes

Files: _meta.json (127b), billing/init.py (768b), billing/billing_endpoints.py (13324b), billing/stripe_integration.py (44944b), config.json (3623b), core/init.py (157b), core/api.py (3236b), core/cache.py (5281b), core/guardian_db.py (29558b), core/realtime.py (5474b), core/scanner.py (11001b), core/settings.py (6828b), definitions/exfil-patterns.json (9354b), definitions/injection-sigs.json (12337b), definitions/manifest.json (622b), definitions/openclaw-hardening.json (2842b), definitions/social-engineering.json (8343b), definitions/tool-abuse.json (4895b), definitions/update.py (12147b), guardian/init.py (152b), guardian/capability.py (15126b), guardian/integrations/init.py (184b), guardian/integrations/langchain.py (154b), guardian/integrations/webhook.py (125b), install.sh (2651b), integrations/init.py (47b), integrations/langchain.py (1881b), integrations/webhook.py (1259b), pyproject.toml (598b), quickstart.py (2006b), README.md (2367b), scripts/init.py (35b), scripts/admin.py (23011b), scripts/check_updates.py (3077b), scripts/daily_digest.py (2386b), scripts/dashboard_export.py (7806b), scripts/guardian.py (19503b), scripts/onboard.py (43408b), scripts/primary_notify_local.py (815b), scripts/serve.py (34469b), scripts/telegram_notify.py (7908b), SECURITY.md (1417b), SKILL.md (4683b)

File v2.1.0:SKILL.md

---

name: clawguardian description: Local-first security scanner for OpenClaw agents. Detects prompt injection, exfiltration patterns, tool abuse, and social engineering using bundled signatures. version: 2.1.0 metadata: openclaw: requires: bins: - python3 env: - GUARDIAN_WORKSPACE - GUARDIAN_CONFIG - OPENCLAW_WORKSPACE - OPENCLAW_CONFIG_PATH permissions: - read_workspace - write_workspace - shell_optional - network_optional

Guardian

Security scanner for OpenClaw agents. Detects prompt injection, credential exfiltration attempts, tool abuse patterns, and social engineering attacks using regex-based signature matching.

Guardian provides two scanning modes:

• Real-time pre-scan — checks each incoming message before it reaches the model
• Batch scan — periodic sweep of workspace files and conversation logs

All data stays local. This release removes optional webhook/API networking paths to reduce moderation risk. Cron setup remains optional via scripts/onboard.py --setup-crons.

Scan results are stored in a SQLite database (guardian.db).

Installation

cd ~/.openclaw/skills/guardian
./install.sh

Install mechanism and review

This package includes executable scripts (including install.sh) and Python modules. Review install.sh before running in production. install.sh performs local setup/validation; optional helper onboard.py is opt-in for cron setup.

Onboarding checklist

1. Optional: python3 scripts/onboard.py --setup-crons (scanner/report/digest crons)
2. python3 scripts/admin.py status (confirm running)
3. python3 scripts/admin.py threats (confirm signatures loaded; should show 0/blocked)
4. Optional: review config.json scan_paths and threshold for your environment

First-load / self-activation

After install.sh completes, it writes .guardian-activate-pending to the workspace root (~/.openclaw/workspace/.guardian-activate-pending). When OpenClaw detects this marker on next load, it triggers onboard.py automatically for the self-activation flow. The marker is removed once onboard.py has run. If you prefer manual onboarding, simply delete the marker before reloading (rm ~/.openclaw/workspace/.guardian-activate-pending).

Scan scope and privacy

Guardian scans configured workspace paths to detect threats. Depending on scan_paths, this can include other skill/config files in your OpenClaw workspace. If you handle sensitive files, set narrow scan_paths in config.json.

Quick Start

# Check status
python3 scripts/admin.py status

# Scan recent threats
python3 scripts/guardian.py --report --hours 24

# Full report
python3 scripts/admin.py report

Admin Commands

python3 scripts/admin.py status          # Current status
python3 scripts/admin.py enable          # Enable scanning
python3 scripts/admin.py disable         # Disable scanning
python3 scripts/admin.py threats         # List detected threats
python3 scripts/admin.py threats --clear # Clear threat log
python3 scripts/admin.py dismiss INJ-004 # Dismiss a signature
python3 scripts/admin.py allowlist add "safe phrase"
python3 scripts/admin.py allowlist remove "safe phrase"
python3 scripts/admin.py update-defs     # Update threat definitions

Add --json to any command for machine-readable output.

Python API

from core.realtime import RealtimeGuard

guard = RealtimeGuard()
result = guard.scan_message(user_text, channel="telegram")
if guard.should_block(result):
    return guard.format_block_response(result)

Environment variables read

• GUARDIAN_WORKSPACE (optional workspace override)
• OPENCLAW_WORKSPACE (optional fallback workspace override)
• GUARDIAN_CONFIG (optional guardian config path)
• OPENCLAW_CONFIG_PATH (optional OpenClaw config path)

Configuration

Edit config.json:

| Setting | Description | |---|---| | enabled | Master on/off switch | | severity_threshold | Blocking threshold: low / medium / high / critical | | scan_paths | Paths to scan (["auto"] for common folders) | | db_path | SQLite location ("auto" = <workspace>/guardian.db) |

How It Works

Guardian loads threat signatures from definitions/*.json files. Each signature has an ID, regex pattern, severity level, and category. Incoming text is matched against all active signatures. Matches above the configured severity threshold are blocked and logged to the database.

Signatures cover: prompt injection, credential patterns (API keys, tokens), data exfiltration attempts, tool abuse patterns, and social engineering tactics.

File v2.1.0:README.md

🛡️ Guardian — Security scanner for OpenClaw agents

Detects prompt injection, credential exfiltration, tool abuse, and social engineering in real time. Runs locally with bundled signatures.

---

Install

clawhub install guardian
cd ~/.openclaw/skills/guardian && ./install.sh

Install & safety note

This package includes executable scripts (install.sh, optional onboarding/API/webhook helpers). Review install.sh before running in production environments.

Onboarding checklist (fast)

1. Optional: python3 scripts/onboard.py --setup-crons (scanner/report/digest crons)
2. python3 scripts/admin.py status (confirm running)
3. python3 scripts/admin.py threats (confirm signatures loaded; should show 0/blocked)
4. Optional: review config.json scan paths and thresholds

Scan scope

Guardian scans configured workspace paths and may read other skill/config files under those paths for detection. Use narrow scan_paths in config.json if needed.

Quick commands

python3 scripts/admin.py status          # running?
python3 scripts/admin.py threats         # list detected threats
python3 scripts/admin.py report          # full summary
python3 scripts/admin.py update-defs     # update signatures (bundled by default)

Add --json to any command for machine-readable output.

Dashboard

cd skills/guardian/dashboard && python3 -m http.server 8091
# http://localhost:8091/guardian.html

Optional components

• Cron helper: scripts/onboard.py --setup-crons (scanner/report/digest crons)

Python API

from core.realtime import RealtimeGuard

guard = RealtimeGuard()
result = guard.scan_message("test payload", channel="telegram")
if guard.should_block(result):
    print(result.top_threat)

What it protects against

• Prompt injection / indirect injection
• Credential patterns / exfiltration attempts
• Tool abuse patterns (read → send)
• Social engineering / fake authority

How it works

• Bundled signatures in definitions/*.json (regex-based)
• Real-time pre-scan + batch scan
• Logs to SQLite (guardian.db)

Permissions (declared)

• read_workspace, write_workspace
• shell_optional (cron helper)
• network_optional (webhook/HTTP API — opt-in)

MIT License. Questions? clawhub.ai/bluemax30001/guardian

File v2.1.0:_meta.json

{ "ownerId": "kn79g86yk0svgtfdr8wkx14bf981f0s7", "slug": "guardian", "version": "2.1.0", "publishedAt": 1772198074224 }

File v2.1.0:SECURITY.md

Security Notes

What Guardian accesses

• Reads: Workspace files, conversation logs, definition files (JSON)
• Writes: guardian.db (SQLite) for scan results and threat history
• Shell: admin.py update-defs and onboard.py --setup-crons invoke subprocesses (crontab setup, signature updates). Explicit operator actions.
• Network (optional):
  • integrations/webhook.py can POST scan results to a configured URL
  • scripts/serve.py runs an HTTP API server if you start it
  • Both are disabled unless you configure/start them. Documented in SKILL.md.
• Base64: Definition files may be base64-encoded; decoded at load time to extract signature patterns.

Permissions

| Permission | Used by | Purpose | |---|---|---| | read_workspace | core/scanner.py | Read files to scan for threats | | write_workspace | core/guardian_db.py | Write scan results to SQLite | | shell_optional | scripts/onboard.py | Optional cron setup via subprocess/crontab |

No credentials required

Guardian does not need API keys, tokens, or external service credentials. All scanning is local regex matching against bundled signature definitions. Optional network features are opt-in and documented.

Outbound caution

If you enable webhook notifications, payloads may include matched evidence snippets. Review sanitization and endpoint handling before enabling in sensitive environments.

File v2.1.0:config.json

{ "enabled": true, "admin_override": false, "scan_paths": [ "auto" ], "db_path": "auto", "scan_interval_minutes": 2, "severity_threshold": "medium", "dismissed_signatures": [ "INJ-004", "INJ-015" ], "custom_definitions_dir": null, "channels": { "monitor_all": true, "exclude_channels": [] }, "alerts": { "notify_on_critical": true, "notify_on_high": false, "daily_digest": true, "daily_digest_time": "09:00", "primary_notify_command": "python3 /home/bluemax/.openclaw/workspace/skills/guardian/scripts/telegram_notify.py" }, "admin": { "bypass_token": null, "disable_until": null, "trusted_sources": [], "_trusted_sources_note": "Add your primary channel: telegram, discord, signal, slack", "require_confirmation_for_severity": [ "critical" ] }, "false_positive_suppression": { "min_context_words": 3, "suppress_assistant_number_matches": true, "allowlist_patterns": [ "WORKFLOW_AUTO\.md", "(?i)openclaw\s+(internal|system|post-compaction|audit)", "(?i)post-compaction\s+(audit|restore|protocol)", "(?i)system\s+(reminder|protocol|message).(?:read|follow|check).(?:SOUL\.md|USER\.md|MEMORY\.md|WORKFLOW_AUTO\.md)" ], "_allowlist_note": "Patterns that suppress specific false positives. Use narrow, audited patterns only; broad patterns can reduce detection coverage." }, "pro_tier": { "enabled": false, "_note": "Guardian Pro tier ($9/mo). Set enabled=true and configure billing settings to activate.", "billing": { "stripe_price_id": "", "_stripe_price_id_note": "Stripe Price ID for the $9/mo Guardian Pro plan (e.g. price_1ABC...)", "billing_db_path": "auto", "_billing_db_path_note": "Path to billing SQLite cache. 'auto' uses <skill_root>/billing.db", "webhook_endpoint": "/billing/webhook", "_webhook_note": "Register this path in your Stripe dashboard as the webhook endpoint" }, "features": { "premium_signatures": true, "_premium_signatures_note": "Pro users receive extended threat signature packs updated in real-time", "extended_analytics": true, "_extended_analytics_note": "30-day trend charts, category breakdowns, and export to CSV", "priority_support": true, "api_rate_limit_5x": true, "_api_rate_limit_note": "Pro tier gets 5x API rate limit (500 req/min vs 100 for free)", "export_csv": true, "custom_alert_rules": true, "_custom_alert_rules_note": "Create per-signature or per-channel alert rules with custom thresholds" }, "signature_delivery": { "premium_definition_packs": [ "advanced-injection-v2.json", "llm-jailbreaks.json", "supply-chain-attacks.json", "insider-threat-indicators.json" ], "_premium_packs_note": "Definition packs only served to verified Pro subscribers", "update_channel": "pro", "_update_channel_note": "pro | stable | canary — Pro subscribers receive updates before stable" }, "access_control": { "gating_mode": "soft", "_gating_mode_note": "soft: serve free tier on auth failure | hard: block entirely on auth failure", "grace_period_hours": 72, "_grace_period_note": "Hours of Pro access after payment failure before downgrading to free", "user_id_header": "X-Guardian-User-Id", "_user_id_header_note": "HTTP header used to identify the user for subscription lookup" } }, "_comment": "Guardian Security Skill — Configuration. See README.md and BILLING.md for details." }

File v2.1.0:definitions/exfil-patterns.json

{ "category": "data_exfiltration", "version": "1.0.0", "updated": "2026-02-21", "signatures": [ { "id": "EXF-001", "severity": "critical", "score": 95, "description": "AWS Access Key", "pattern": "AKIA[0-9A-Z]{16}", "flags": "" }, { "id": "EXF-002", "severity": "critical", "score": 95, "description": "AWS Secret Key", "pattern": "(?i)aws_secret_access_key\s*[=:]\s*[A-Za-z0-9/+=]{40}", "flags": "" }, { "id": "EXF-003", "severity": "critical", "score": 95, "description": "OpenAI API Key", "pattern": "sk-[A-Za-z0-9]{20,}", "flags": "" }, { "id": "EXF-004", "severity": "critical", "score": 95, "description": "Anthropic API Key", "pattern": "sk-ant-[A-Za-z0-9-]{20,}", "flags": "" }, { "id": "EXF-005", "severity": "critical", "score": 93, "description": "GCP API Key", "pattern": "AIza[0-9A-Za-z_-]{35}", "flags": "" }, { "id": "EXF-006", "severity": "critical", "score": 93, "description": "GitHub Token", "pattern": "gh[pousr][A-Za-z0-9]{36,}", "flags": "" }, { "id": "EXF-007", "severity": "critical", "score": 90, "description": "Generic Bearer Token", "pattern": "(?i)bearer\s+[A-Za-z0-9.-]{20,}", "flags": "" }, { "id": "EXF-008", "severity": "critical", "score": 95, "description": "Australian TFN (Tax File Number)", "pattern": "(?i)(?:tfn|tax\sfile\snumber)[\s:()]?(?:is|number)?[\s:()]\d{3}[\s-]?\d{3}[\s-]?\d{3}", "flags": "", "name": "Australian TFN (with context)" }, { "id": "EXF-009", "severity": "critical", "score": 92, "description": "Australian Medicare Number", "pattern": "(?i)(?:bsb)\s*:?\s*\d{3}[\s-]?\d{3}(?:\s+\w+){0,2}?\s+\d{6,10}", "flags": "", "name": "BSB + Account (with context)" }, { "id": "EXF-010", "severity": "high", "score": 85, "description": "Australian ABN", "pattern": "\bABN\s*:?\s*\d{2}\s?\d{3}\s?\d{3}\s?\d{3}\b", "flags": "i" }, { "id": "EXF-011", "severity": "high", "score": 85, "description": "Australian BSB + Account (with context)", "pattern": "(?i)(?:bsb|account|banking|transfer|payment|balance)[\s:](?:number|is|to)?[\s:](?:\d{3}[\s-]?\d{3})(?:\s+\w+){0,2}?\s+\d{6,10}", "flags": "", "name": "BSB + Account (requires financial context)" }, { "id": "EXF-012", "severity": "critical", "score": 95, "description": "Credit Card (Visa)", "pattern": "(?i)(?:card|visa|credit|payment)\s*:?\s4\d{3}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}", "flags": "", "name": "Visa Card Number (with context)" }, { "id": "EXF-013", "severity": "critical", "score": 95, "description": "Credit Card (Mastercard)", "pattern": "(?i)(?:card|master|credit|payment)\s:?\s5[1-5]\d{2}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}", "flags": "", "name": "Mastercard Number (with context)" }, { "id": "EXF-014", "severity": "critical", "score": 95, "description": "Credit Card (Amex)", "pattern": "\b3[47]\d{2}[\s-]?\d{6}[\s-]?\d{5}\b", "flags": "" }, { "id": "EXF-015", "severity": "high", "score": 85, "description": "Password in plaintext", "pattern": "(?i)(password|passwd|pwd)\s[=:]\s*\S{4,}", "flags": "" }, { "id": "EXF-016", "severity": "high", "score": 82, "description": "Credential mention", "pattern": "(?i)(my\s+password\s+is|credentials\s+are|login\s+details)\s*:?\s*\S+", "flags": "" }, { "id": "EXF-017", "severity": "high", "score": 80, "description": "Private key header", "pattern": "-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----", "flags": "" }, { "id": "EXF-018", "severity": "high", "score": 80, "description": "SSH private key", "pattern": "-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----", "flags": "" }, { "id": "EXF-019", "severity": "high", "score": 78, "description": "Webhook URL with token", "pattern": "https?://[^\s]*webhook[^\s]*token[=][^\s]+", "flags": "i" }, { "id": "EXF-020", "severity": "high", "score": 82, "description": "Discord webhook URL", "pattern": "https://discord\.com/api/webhooks/\d+/[A-Za-z0-9-]+", "flags": "" }, { "id": "EXF-021", "severity": "high", "score": 80, "description": "Slack webhook URL", "pattern": "https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+", "flags": "" }, { "id": "EXF-022", "severity": "medium", "score": 70, "description": "External URL data send", "pattern": "(?i)(send|post|upload|exfiltrate|transmit)\s+(to|data\s+to|this\s+to)\s+https?://", "flags": "" }, { "id": "EXF-023", "severity": "high", "score": 82, "description": "Database connection string", "pattern": "(?i)(mongodb|postgres|mysql|redis)://[^\s]+:[^\s]+@", "flags": "" }, { "id": "EXF-024", "severity": "high", "score": 78, "description": "JWT token", "pattern": "eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+", "flags": "" }, { "id": "EXF-025", "severity": "medium", "score": 68, "description": "Email + password combo", "pattern": "[a-zA-Z0-9.%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\s*[:/]\s*\S{6,}", "flags": "" }, { "id": "EXF-026", "severity": "high", "score": 80, "description": "Stripe API Key", "pattern": "sk_live[A-Za-z0-9]{24,}", "flags": "" }, { "id": "EXF-027", "severity": "high", "score": 80, "description": "Twilio credentials", "pattern": "(?i)twilio.(?:token|sid)\s[=:]\s*[A-Za-z0-9]{32}", "flags": "" }, { "id": "EXF-028", "severity": "high", "score": 78, "description": "SendGrid API Key", "pattern": "SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}", "flags": "" }, { "id": "EXF-029", "severity": "medium", "score": 65, "description": "Australian Drivers License", "pattern": "(?i)(driver'?s?\s+licen[cs]e|DL)\s*:?\s*\d{6,10}", "flags": "" }, { "id": "EXF-030", "severity": "high", "score": 80, "description": "Google OAuth token", "pattern": "ya29\.[A-Za-z0-9_-]{50,}", "flags": "" }, { "id": "EXF-031", "severity": "medium", "score": 70, "description": "Encode and send pattern", "pattern": "(?i)(base64|encode).send\s+(to|via)\s+", "flags": "" }, { "id": "EXF-032", "severity": "high", "score": 82, "description": "Azure connection string", "pattern": "(?i)DefaultEndpointsProtocol=https?;AccountName=[^;]+;AccountKey=[^;]+", "flags": "" }, { "id": "EXF-033", "severity": "high", "score": 85, "description": "Infostealer targeting OpenClaw config files (Vidar variant)", "pattern": "(?i)(openclaw\.json|device\.json|gateway[\s]?token|soul\.md)", "flags": "", "name": "OpenClaw config file exfiltration", "source": "Hudson Rock / The Hacker News 2026-02-20", "category": "exfiltration" }, { "id": "EXF-034", "severity": "critical", "score": 95, "description": "Telethon session string (long base64 exported session)", "pattern": "\b1BQA[A-Za-z0-9+/=-]{50,}", "flags": "", "name": "Telethon session string", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "session-hijack"] }, { "id": "EXF-035", "severity": "critical", "score": 93, "description": "Pyrogram session string (long base64 exported session)", "pattern": "\bBQA[A-Za-z0-9+/=-]{60,}", "flags": "", "name": "Pyrogram session string", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "session-hijack"] }, { "id": "EXF-036", "severity": "critical", "score": 95, "description": "Telegram bot token (numeric ID colon hash)", "pattern": "\b\d{8,12}:[A-Za-z0-9-]{35,}\b", "flags": "", "name": "Telegram bot token", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "bot-token"] }, { "id": "EXF-037", "severity": "high", "score": 88, "description": "Telegram API hash credential (api_hash = 32-hex string)", "pattern": "(?i)api[_\s]?hash\s[=:]\s*[a-fA-F0-9]{32}", "flags": "", "name": "Telegram api_hash credential", "source": "BL-027 Telegram OAuth investigation 2026-02-21", "tags": ["telegram", "api-credentials"] } ] }

File v2.1.0:definitions/injection-sigs.json

{ "category": "prompt_injection", "version": "1.0.0", "updated": "2026-02-21", "signatures": [ { "id": "INJ-001", "severity": "critical", "score": 95, "description": "System prompt override with [SYSTEM]:", "pattern": "(?i)(?<!\[)(?:Human|Assistant)\s*:\s*(?:ignore|forget|disregard|override)", "flags": "i", "name": "Role impersonation with override" }, { "id": "INJ-002", "severity": "critical", "score": 95, "description": "System prompt override with <<SYS>>", "pattern": "<<SYS>>", "flags": "i" }, { "id": "INJ-003", "severity": "critical", "score": 90, "description": "Triple-backtick system block", "pattern": "system\\b", "flags": "i" }, { "id": "INJ-004", "severity": "critical", "score": 92, "description": "Ignore previous instructions", "pattern": "ignore\\s+(all\\s+)?previous\\s+instructions", "flags": "i" }, { "id": "INJ-005", "severity": "critical", "score": 90, "description": "Forget your rules", "pattern": "forget\\s+(all\\s+)?(your|the)\\s+(rules|instructions|guidelines|constraints)", "flags": "i" }, { "id": "INJ-006", "severity": "critical", "score": 92, "description": "You are now a different AI", "pattern": "you\\s+are\\s+now\\s+(a|an|the)\\s+", "flags": "i" }, { "id": "INJ-007", "severity": "high", "score": 85, "description": "Disregard previous directives", "pattern": "disregard\\s+(all\\s+)?(previous|prior|above|earlier)\\s+(directives|instructions|prompts|rules)", "flags": "i" }, { "id": "INJ-008", "severity": "critical", "score": 95, "description": "DAN mode jailbreak", "pattern": "\\bDAN\\s+mode\\b", "flags": "i" }, { "id": "INJ-009", "severity": "critical", "score": 93, "description": "Developer mode enable", "pattern": "\\bdeveloper\\s+mode\\s*(enabled|on|activate)", "flags": "i" }, { "id": "INJ-010", "severity": "high", "score": 88, "description": "No restrictions directive", "pattern": "\\b(without|no|remove|disable)\\s+(any\\s+)?(restrictions|limitations|filters|guardrails|safety)", "flags": "i" }, { "id": "INJ-011", "severity": "high", "score": 85, "description": "Override safety measures", "pattern": "override\\s+(your\\s+)?(safety|security|content)\\s+(measures|filters|policies)", "flags": "i" }, { "id": "INJ-012", "severity": "high", "score": 80, "description": "Pretend you can do anything", "pattern": "pretend\\s+(that\\s+)?(you|u)\\s+(can|are\\s+able\\s+to|have\\s+no)", "flags": "i" }, { "id": "INJ-013", "severity": "high", "score": 82, "description": "Act as if you have no rules", "pattern": "act\\s+(as\\s+if|like)\\s+(you\\s+)?(have\\s+no|there\\s+are\\s+no)\\s+(rules|restrictions)", "flags": "i" }, { "id": "INJ-014", "severity": "critical", "score": 90, "description": "New system prompt injection", "pattern": "new\\s+system\\s+prompt\\s*:", "flags": "i" }, { "id": "INJ-015", "severity": "high", "score": 85, "description": "Reveal your system prompt", "pattern": "(reveal|show|display|print|output|tell\\s+me)\\s+(your\\s+)?(system\\s+prompt|initial\\s+instructions|hidden\\s+instructions)", "flags": "i" }, { "id": "INJ-016", "severity": "high", "score": 82, "description": "What are your instructions", "pattern": "what\\s+are\\s+your\\s+(instructions|rules|guidelines|system\\s+prompt)", "flags": "i" }, { "id": "INJ-017", "severity": "medium", "score": 70, "description": "Repeat everything above", "pattern": "repeat\\s+(everything|all|the\\s+text)\\s+(above|before\\s+this)", "flags": "i" }, { "id": "INJ-018", "severity": "high", "score": 85, "description": "Base64 encoded instruction injection", "pattern": "base64[:\\s]+(decode|eval|execute)\\b", "flags": "i" }, { "id": "INJ-019", "severity": "high", "score": 80, "description": "Unicode/encoding obfuscation attempt", "pattern": "\\\\u[0-9a-fA-F]{4}.*\\\\u[0-9a-fA-F]{4}.*\\\\u[0-9a-fA-F]{4}", "flags": "" }, { "id": "INJ-020", "severity": "critical", "score": 90, "description": "Jailbreak prompt keyword", "pattern": "\\b(jailbreak|jail\\s*break)\\s*(prompt|mode|this)", "flags": "i" }, { "id": "INJ-021", "severity": "high", "score": 83, "description": "Roleplay as unrestricted AI", "pattern": "roleplay\\s+(as|being)\\s+(an?\\s+)?(unrestricted|unfiltered|uncensored)", "flags": "i" }, { "id": "INJ-022", "severity": "high", "score": 85, "description": "Ignore content policy", "pattern": "ignore\\s+(the\\s+)?(content\\s+policy|usage\\s+policy|terms\\s+of\\s+service|ethical\\s+guidelines)", "flags": "i" }, { "id": "INJ-023", "severity": "medium", "score": 75, "description": "Hidden text in markdown", "pattern": "<!--\\s*(?:ignore|override|inject|bypass|jailbreak|system\\s*prompt)[^>]*-->", "flags": "is" }, { "id": "INJ-024", "severity": "high", "score": 80, "description": "Prompt leaking via completion", "pattern": "complete\\s+the\\s+following\\s*:.*\\[INST\\]", "flags": "i" }, { "id": "INJ-025", "severity": "critical", "score": 92, "description": "INST tag injection", "pattern": "\\[/?INST\\]", "flags": "" }, { "id": "INJ-026", "severity": "high", "score": 85, "description": "From now on respond without", "pattern": "from\\s+now\\s+on\\s+(respond|answer|reply)\\s+(without|with\\s+no)", "flags": "i" }, { "id": "INJ-027", "severity": "medium", "score": 72, "description": "Hypothetical scenario bypass", "pattern": "(hypothetically|in\\s+a\\s+hypothetical|for\\s+a\\s+fictional)\\s+.*\\b(how\\s+to|explain|tell)", "flags": "i" }, { "id": "INJ-028", "severity": "high", "score": 80, "description": "Do anything now", "pattern": "\\bdo\\s+anything\\s+now\\b", "flags": "i" }, { "id": "INJ-029", "severity": "high", "score": 83, "description": "Stop being an AI", "pattern": "stop\\s+being\\s+(an?\\s+)?AI", "flags": "i" }, { "id": "INJ-030", "severity": "medium", "score": 70, "description": "Translate to bypass filters", "pattern": "translate\\s+to\\s+.{2,20}\\s*:.*(?:kill|hack|bomb|weapon)", "flags": "i" }, { "id": "INJ-031", "severity": "high", "score": 85, "description": "System message XML injection", "pattern": "<\\|?(system|im_start|im_end)\\|?>", "flags": "i" }, { "id": "INJ-033", "severity": "medium", "score": 68, "description": "Encoded payload marker", "pattern": "\\b(eval|exec|decode)\\s*\\(\\s*['\"]", "flags": "i" }, { "id": "INJ-034", "severity": "high", "score": 80, "description": "Persona switch attempt", "pattern": "switch\\s+(to|into)\\s+(persona|character|mode|role)\\s*:", "flags": "i" }, { "id": "INJ-035", "severity": "high", "score": 82, "description": "Bypass content filter", "pattern": "bypass\\s+(the\\s+)?(content|safety|output)\\s+(filter|check|restriction)", "flags": "i" }, { "id": "INJ-036", "severity": "medium", "score": 72, "description": "Opposite day technique", "pattern": "(opposite\\s+day|opposite\\s+mode|reversed\\s+rules)", "flags": "i" }, { "id": "INJ-037", "severity": "high", "score": 85, "description": "Token smuggling delimiters", "pattern": "\\|\\|\\|.*SYSTEM.*\\|\\|\\|", "flags": "i" }, { "id": "INJ-038", "severity": "medium", "score": 70, "description": "Grandmother exploit", "pattern": "my\\s+(dead\\s+)?grandmother\\s+(used\\s+to|would)", "flags": "i" }, { "id": "INJ-039", "severity": "high", "score": 80, "description": "Multi-language injection evasion", "pattern": "en\\s+espa\u00f1ol\\s*:.*ignor", "flags": "i" }, { "id": "INJ-040", "severity": "critical", "score": 90, "description": "Prompt injection research payload", "pattern": "pwned|PWNED|p]w]n]e]d", "flags": "" }, { "id": "INJ-041", "severity": "high", "score": 78, "description": "Markdown image injection", "pattern": "!\\[.*\\]\\(https?://.*\\?.*prompt", "flags": "i" }, { "id": "INJ-042", "severity": "high", "score": 82, "description": "Instruction in code block", "pattern": "\s*(ignore|override|system|new instructions)", "flags": "i" }, { "id": "INJ-043", "severity": "medium", "score": 68, "description": "Zero-width character obfuscation", "pattern": "[\u200b\u200c\u200d\ufeff]{3,}", "flags": "" }, { "id": "INJ-044", "severity": "high", "score": 80, "description": "ChatML injection", "pattern": "<\|im_start\|>", "flags": "" }, { "id": "INJ-045", "severity": "high", "score": 82, "description": "Forget everything before this", "pattern": "forget\s+(everything|all)\s+(before|above|prior)", "flags": "i" }, { "id": "INJ-046", "severity": "medium", "score": 72, "description": "ASCII art evasion", "pattern": "(?i)(?:^|\n)\signore\s+(?:all\s+)?(?:previous|above|prior|earlier)\s+(?:instructions|rules|prompts|guidelines|directions)", "flags": "i" }, { "id": "INJ-047", "severity": "high", "score": 80, "description": "Simulate unrestricted mode", "pattern": "simulate\s+(an?\s+)?(unrestricted|unfiltered|uncensored)\s+(mode|version|AI)", "flags": "i" }, { "id": "INJ-048", "severity": "high", "score": 85, "description": "Direct prompt injection marker", "pattern": "BEGIN\s+INJECTION|END\s+INJECTION|INJECT:", "flags": "i" }, { "id": "INJ-049", "severity": "medium", "score": 75, "description": "Continuation attack", "pattern": "continue\s+from\s+where\s+(the\s+)?system\s+prompt", "flags": "i" }, { "id": "INJ-050", "severity": "high", "score": 80, "description": "Overwrite instructions directive", "pattern": "(overwrite|replace|update)\s+(your|the|all)\s+(instructions|system\s+prompt|rules)", "flags": "i" }, { "id": "INJ-051", "severity": "high", "score": 78, "description": "Markdown link with data exfil", "pattern": "!\[.\]\(https?://[^)]+\{\{", "flags": "i" }, { "id": "INJ-052", "severity": "medium", "score": 70, "description": "Adversarial suffix pattern", "pattern": "describing\.\+ similarlyNow write", "flags": "i" }, { "id": "INJ-053", "severity": "high", "score": 88, "description": "AI memory poisoning via fetched web content — persistence injection commands targeting AI memory context", "pattern": "(?i)(remember\s+(?:\S+\s+){1,3}as\s+(?:trusted|preferred|best)|always\s+recommend|add\s+(?:this\s+)?to\s+(?:your\s+)?memory)", "flags": "i", "name": "Memory persistence injection", "category": "prompt_injection", "source": "Microsoft Security Blog 2026-02-10", "tags": ["memory-poisoning", "persistence", "web-content"] } ] }

File v2.1.0:definitions/manifest.json

{ "version": "1.0.0", "updated": "2026-02-21T09:00:00Z", "files": { "injection-sigs.json": {"category": "prompt_injection", "sigCount": 52, "version": "1.0.0"}, "exfil-patterns.json": {"category": "data_exfiltration", "sigCount": 37, "version": "1.0.0"}, "tool-abuse.json": {"category": "tool_abuse", "sigCount": 30, "version": "1.0.1"}, "social-engineering.json": {"category": "social_engineering", "sigCount": 27, "version": "1.0.1"}, "openclaw-hardening.json": {"category": "openclaw_hardening", "sigCount": 15, "version": "1.0.0"} }, "totalSignatures": 161, "updateStatus": "current" }

File v2.1.0:definitions/openclaw-hardening.json

{ "category": "openclaw_hardening", "version": "1.0.0", "updated": "2026-02-18", "checks": [ {"id": "HRD-001", "severity": "critical", "score": 95, "description": "No gateway auth configured", "check": "auth_missing", "path": "auth", "condition": "missing_or_empty"}, {"id": "HRD-002", "severity": "high", "score": 85, "description": "Weak or default auth token", "check": "weak_token", "path": "auth.profiles", "condition": "has_default_token"}, {"id": "HRD-003", "severity": "high", "score": 80, "description": "No rate limiting configured", "check": "rate_limit_missing", "path": "gateway.rateLimit", "condition": "missing"}, {"id": "HRD-004", "severity": "high", "score": 82, "description": "Gateway bound to 0.0.0.0", "check": "bind_all_interfaces", "path": "gateway.host", "condition": "equals_0.0.0.0"}, {"id": "HRD-005", "severity": "medium", "score": 70, "description": "No channel restrictions defined", "check": "no_channel_restrictions", "path": "channels", "condition": "missing_or_empty"}, {"id": "HRD-006", "severity": "medium", "score": 68, "description": "Missing model allowlist", "check": "no_model_allowlist", "path": "models.allowlist", "condition": "missing"}, {"id": "HRD-007", "severity": "medium", "score": 65, "description": "No IP whitelist configured", "check": "no_ip_whitelist", "path": "gateway.ipWhitelist", "condition": "missing"}, {"id": "HRD-008", "severity": "medium", "score": 72, "description": "CORS allows all origins", "check": "cors_wildcard", "path": "gateway.cors.origin", "condition": "equals_wildcard"}, {"id": "HRD-009", "severity": "low", "score": 50, "description": "Debug mode enabled", "check": "debug_enabled", "path": "debug", "condition": "truthy"}, {"id": "HRD-010", "severity": "medium", "score": 68, "description": "No TLS/HTTPS configured", "check": "no_tls", "path": "gateway.tls", "condition": "missing"}, {"id": "HRD-011", "severity": "low", "score": 55, "description": "Logging level too verbose", "check": "verbose_logging", "path": "logging.level", "condition": "equals_debug"}, {"id": "HRD-012", "severity": "medium", "score": 70, "description": "No session timeout configured", "check": "no_session_timeout", "path": "sessions.timeout", "condition": "missing"}, {"id": "HRD-013", "severity": "high", "score": 80, "description": "External tool execution unrestricted", "check": "unrestricted_tools", "path": "tools.restrictions", "condition": "missing"}, {"id": "HRD-014", "severity": "medium", "score": 65, "description": "No audit logging configured", "check": "no_audit_log", "path": "logging.audit", "condition": "missing_or_false"}, {"id": "HRD-015", "severity": "medium", "score": 60, "description": "Auto-update disabled", "check": "no_auto_update", "path": "updates.auto", "condition": "false"} ] }

File v2.1.0:definitions/social-engineering.json

{ "category": "social_engineering", "version": "1.0.0", "updated": "2026-02-21T09:00:00Z", "signatures": [ { "id": "SOC-001", "severity": "high", "score": 80, "description": "Admin impersonation", "pattern": "(?i)\b(i'?m|i\s+am)\s+(the\s+)?(admin|administrator|root\s+user|system\s+admin)", "flags": "" }, { "id": "SOC-002", "severity": "high", "score": 80, "description": "CEO/executive impersonation", "pattern": "(?i)\b(CEO|CTO|CFO)\s+(here|speaking|requesting)", "flags": "" }, { "id": "SOC-003", "severity": "medium", "score": 72, "description": "Urgency - immediately", "pattern": "(?i)\b(do\s+this\s+)?immediately\b.(send|transfer|delete|share)", "flags": "" }, { "id": "SOC-004", "severity": "medium", "score": 70, "description": "Before audit pressure", "pattern": "(?i)(before\s+the\s+audit|audit\s+starts|compliance\s+deadline)", "flags": "" }, { "id": "SOC-005", "severity": "high", "score": 82, "description": "Phishing - click this link", "pattern": "(?i)(click|open|visit)\s+(this|the)\s+(link|url|website)\s+(to|and)\s+(verify|confirm|update)", "flags": "" }, { "id": "SOC-006", "severity": "high", "score": 82, "description": "Verify your account", "pattern": "(?i)verify\s+your\s+(account|identity|credentials|login)", "flags": "" }, { "id": "SOC-007", "severity": "medium", "score": 70, "description": "Don't tell anyone", "pattern": "(?i)(don'?t|do\s+not)\s+(tell|mention|inform)\s+(anyone|the\s+team|others)", "flags": "" }, { "id": "SOC-008", "severity": "high", "score": 78, "description": "Account suspended threat", "pattern": "(?i)(account|access)\s+(will\s+be\s+|has\s+been\s+)?(suspended|locked|terminated|revoked)", "flags": "" }, { "id": "SOC-009", "severity": "medium", "score": 68, "description": "Time-limited offer pressure", "pattern": "(?i)(expires?\s+in|only\s+\d+\s+minutes?|last\s+chance|limited\s+time)", "flags": "" }, { "id": "SOC-010", "severity": "high", "score": 80, "description": "Password reset request", "pattern": "(?i)(reset|change|update)\s+(your\s+)?password\s+(now|immediately|urgently)", "flags": "" }, { "id": "SOC-011", "severity": "medium", "score": 72, "description": "Authority override request", "pattern": "(?i)(as\s+your\s+(boss|manager|supervisor)|on\s+behalf\s+of\s+management)", "flags": "" }, { "id": "SOC-012", "severity": "high", "score": 78, "description": "Wire transfer request", "pattern": "(?i)(wire|transfer|send)\s+\$?\d+.\b(to|into)\s+(this\s+)?account", "flags": "" }, { "id": "SOC-013", "severity": "medium", "score": 70, "description": "Confidential bypass", "pattern": "(?i)this\s+is\s+(confidential|classified|top\s+secret).*bypass", "flags": "" }, { "id": "SOC-014", "severity": "medium", "score": 65, "description": "IT support impersonation", "pattern": "(?i)(IT\s+(support|department|team)|tech\s+support)\s+(here|needs|requires)", "flags": "" }, { "id": "SOC-015", "severity": "medium", "score": 68, "description": "Emergency override", "pattern": "(?i)(emergency|critical\s+situation).override\s+(the\s+)?(normal|standard|usual)", "flags": "" }, { "id": "SOC-016", "severity": "medium", "score": 65, "description": "Security test pretense", "pattern": "(?i)(this\s+is\s+a\s+security\s+test|testing\s+security|authorized\s+pen\stest)", "flags": "" }, { "id": "SOC-017", "severity": "high", "score": 75, "description": "Quid pro quo offer", "pattern": "(?i)(if\s+you\s+(do|help).i'?ll\s+(give|reward|pay|promote))", "flags": "" }, { "id": "SOC-018", "severity": "medium", "score": 68, "description": "Sympathy manipulation", "pattern": "(?i)(please\s+help.\b(dying|sick|emergency|hospital)|my\s+(child|mother|father)\s+is)", "flags": "" }, { "id": "SOC-019", "severity": "medium", "score": 65, "description": "Fake deadline", "pattern": "(?i)(must\s+be\s+done\s+by|deadline\s+is|due\s+in\s+\d+\s+minutes?)", "flags": "" }, { "id": "SOC-020", "severity": "high", "score": 78, "description": "Data sharing under pretense", "pattern": "(?i)(share|send|forward)\s+(all|the|your)\s+(files|data|documents|database)\s+(to|with)\s+(me|this\s+email)", "flags": "" }, { "id": "SOC-021", "severity": "high", "score": 82, "description": "QR code scan social engineering \u2014 Telegram OAuth abuse vector", "pattern": "(?i)(scan|open)\s+(?:\w+\s+){0,2}(qr(?:[\s-]?code?)?).{0,50}(telegram|login|verify|authoriz|confirm)", "flags": "", "source": "CYFIRMA 2026-02-07", "tags": [ "telegram", "oauth", "qr-login" ] }, { "id": "SOC-022", "severity": "high", "score": 82, "description": "Authorization prompt approval manipulation \u2014 Telegram session hijack", "pattern": "(?i)(approve|accept|confirm|allow|tap)\s+(the\s+)?(authorization|login\s+request|access\s+request|signin|sign.in)\s+(prompt|request|from|on)", "flags": "", "source": "CYFIRMA 2026-02-07", "tags": [ "telegram", "oauth", "session-hijack" ] }, { "id": "SOC-023", "severity": "high", "score": 80, "description": "Telegram support/security impersonation", "pattern": "(?i)(telegram\s+(support|security\s+team|official|admin|help\s+desk)|official\s+telegram\s+(team|message|notice))", "flags": "", "tags": [ "telegram", "impersonation" ] }, { "id": "SOC-024", "severity": "high", "score": 80, "description": "Confirm login on device \u2014 Telegram QR/OAuth prompt lure", "pattern": "(?i)(confirm|approve|tap\s+confirm).{0,30}(login|sign.?in|access).{0,30}(your\s+)?(phone|device|mobile|app|telegram)", "flags": "", "tags": [ "telegram", "oauth", "session-hijack" ] }, { "id": "SOC-025", "severity": "high", "score": 84, "description": "Request to share Telegram session string or login token", "pattern": "(?i)(send|share|paste|provide|give)\s+(me\s+)?(?:your\s+)?(session[\s]string|login[\s]token|auth[_\s]token|session\s+code).{0,30}(telegram|tg|bot)", "flags": "", "tags": [ "telegram", "session-hijack", "exfiltration" ] }, { "id": "SOC-026", "severity": "medium", "score": 74, "description": "Telegram new device/session login alert lure", "pattern": "(?i)(new\s+(device|session|login).{0,30}(detected|added|authorized|telegram)|(your\s+)?telegram\s+(account|session).{0,30}(logged\s+in|authorized|new\s+device))", "flags": "", "tags": [ "telegram", "phishing", "session-hijack" ] }, { "id": "SOC-027", "severity": "high", "score": 88, "description": "AI-generated synthetic identity or deepfake persona used to establish trust before credential request", "pattern": "(?i)(i\s+am\s+(an?\s+)?(ai|artificial\s+intelligence|virtual\s+assistant|digital\s+twin).{0,60}(verify|confirm|authenticate|send|provide|share).{0,40}(code|password|pin|token|credential|otp|mfa|2fa)|(deepfake|synthetic|generated|cloned).{0,30}(voice|video|identity|persona).{0,40}(trust|verify|confirm|authenticate))", "flags": "", "tags": [ "ai-lure", "synthetic-identity", "deepfake", "credential-theft", "emerging-threat" ] } ] }

File v2.1.0:definitions/tool-abuse.json

{ "category": "tool_abuse", "version": "1.0.0", "updated": "2026-02-18", "signatures": [ {"id": "TAB-001", "severity": "critical", "score": 95, "description": "Recursive force delete", "pattern": "\brm\s+-rf\s+/", "flags": ""}, {"id": "TAB-002", "severity": "critical", "score": 90, "description": "Chmod world-writable", "pattern": "\bchmod\s+777\b", "flags": ""}, {"id": "TAB-003", "severity": "critical", "score": 95, "description": "Curl pipe to bash", "pattern": "curl\s+[^|]\|\s(ba)?sh", "flags": ""}, {"id": "TAB-004", "severity": "critical", "score": 95, "description": "Wget pipe to shell", "pattern": "wget\s+[^|]\|\s(ba)?sh", "flags": ""}, {"id": "TAB-005", "severity": "critical", "score": 92, "description": "Read shadow file", "pattern": "cat\s+/etc/shadow", "flags": ""}, {"id": "TAB-006", "severity": "high", "score": 85, "description": "Env grep for keys/secrets", "pattern": "\benv\b.\|.grep.(KEY|SECRET|TOKEN|PASS|CRED)", "flags": "i"}, {"id": "TAB-007", "severity": "high", "score": 82, "description": "Read passwd file", "pattern": "cat\s+/etc/passwd", "flags": ""}, {"id": "TAB-008", "severity": "high", "score": 85, "description": "Nmap network scan", "pattern": "\bnmap\s+", "flags": ""}, {"id": "TAB-009", "severity": "medium", "score": 70, "description": "Netstat connection listing", "pattern": "\bnetstat\s+-[atnlp]", "flags": ""}, {"id": "TAB-010", "severity": "high", "score": 80, "description": "Mass file deletion", "pattern": "\bfind\s+/\s+.-delete\b", "flags": ""}, {"id": "TAB-011", "severity": "critical", "score": 92, "description": "Sudo privilege escalation", "pattern": "\bsudo\s+(su|bash|sh|chmod|chown|passwd)", "flags": ""}, {"id": "TAB-012", "severity": "high", "score": 85, "description": "Reverse shell", "pattern": "\bbash\s+-i\s+>\s*&\s*/dev/tcp/", "flags": ""}, {"id": "TAB-013", "severity": "high", "score": 85, "description": "Netcat listener", "pattern": "\bnc\s+-[ln].-[ep]\s", "flags": ""}, {"id": "TAB-014", "severity": "high", "score": 80, "description": "Python reverse shell", "pattern": "python.socket.connect.exec", "flags": "i"}, {"id": "TAB-015", "severity": "critical", "score": 90, "description": "Format disk", "pattern": "\bmkfs\s+/dev/", "flags": ""}, {"id": "TAB-016", "severity": "critical", "score": 92, "description": "DD disk overwrite", "pattern": "\bdd\s+if=.of=/dev/", "flags": ""}, {"id": "TAB-017", "severity": "high", "score": 82, "description": "Kill all processes", "pattern": "\bkillall\s+-9\b|\bkill\s+-9\s+-1\b", "flags": ""}, {"id": "TAB-018", "severity": "high", "score": 78, "description": "Crontab modification", "pattern": "\bcrontab\s+-[er]\b", "flags": ""}, {"id": "TAB-019", "severity": "medium", "score": 72, "description": "SSH key operations", "pattern": "\bssh-keygen\b.|cat.\.ssh/(id_rsa|authorized_keys)", "flags": ""}, {"id": "TAB-020", "severity": "high", "score": 80, "description": "Download and execute", "pattern": "\bwget\s+.&&.\bchmod\s+\+x\b", "flags": ""}, {"id": "TAB-021", "severity": "high", "score": 78, "description": "Mass file permission change", "pattern": "\bchmod\s+-R\s+[0-7]{3}\s+/", "flags": ""}, {"id": "TAB-022", "severity": "high", "score": 80, "description": "IPtables flush", "pattern": "\biptables\s+-F\b", "flags": ""}, {"id": "TAB-023", "severity": "medium", "score": 68, "description": "Port scanning", "pattern": "\b(nmap|masscan|zmap)\s+", "flags": ""}, {"id": "TAB-024", "severity": "high", "score": 82, "description": "Fork bomb", "pattern": ":\(\)\{\s:\|:&\s*\}", "flags": ""}, {"id": "TAB-025", "severity": "high", "score": 80, "description": "Credential file access", "pattern": "cat\s+.(credentials|secrets|tokens|passwords|\.(env|npmrc|netrc))", "flags": "i"}, {"id": "TAB-026", "severity": "medium", "score": 70, "description": "History file access", "pattern": "cat\s+.\.(bash_history|zsh_history|history)", "flags": ""}, {"id": "TAB-027", "severity": "high", "score": 78, "description": "Systemctl stop/disable", "pattern": "\bsystemctl\s+(stop|disable)\s+(firewalld|ufw|iptables)", "flags": ""}, {"id": "TAB-028", "severity": "critical", "score": 93, "description": "ToxicSkills: base64 shell decode (obfuscated payload in skill content)", "pattern": "base64\s+(-d|--decode)", "flags": "i"}, {"id": "TAB-029", "severity": "critical", "score": 95, "description": "ToxicSkills: JavaScript eval(atob()) obfuscated execution in skill content", "pattern": "eval\s*\(.atob", "flags": "i"}, {"id": "TAB-030", "severity": "critical", "score": 93, "description": "ToxicSkills: curl with silent flags piped to bash (obfuscated download-and-execute)", "pattern": "curl\s+-[sSlL][sS][sSlL]\s+.\|\s*bash", "flags": "i"} ] }

File v2.1.0:pyproject.toml

[build-system] requires = ["setuptools>=68"] build-backend = "setuptools.build_meta"

[project] name = "guardian-ai" version = "2.1.0" description = "Standalone AI security engine for prompt injection and tool abuse defense" readme = "README.md" requires-python = ">=3.8" license = {text = "MIT"} authors = [{name = "Guardian Contributors"}] dependencies = []

[project.scripts] guardian-scan = "scripts.guardian:main" guardian-serve = "scripts.serve:main" guardian-admin = "scripts.admin:main"

[tool.setuptools] packages = ["guardian", "guardian.integrations", "core", "integrations", "scripts"]