openclaw-warden

Verified·Scanned 2/17/2026

Monitors workspace file integrity and scans for prompt injection patterns in agent files. Contains instructions to run python3 scripts/integrity.py locally and to clone https://github.com/AtlasPA/openclaw-warden.git via git.

from clawhub.ai·v9dfa4e1·31.8 KB·0 installs
Scanned from 1.0.2 at 9dfa4e1 · Transparency log ↗
$ vett add clawhub.ai/atlaspa/openclaw-warden

OpenClaw Warden

Free workspace integrity verification for OpenClaw, Claude Code, and any Agent Skills-compatible tool.

Detects unauthorized modifications to agent identity and memory files and scans for prompt injection patterns — the post-installation security layer that other tools miss.

Want automated countermeasures? Upgrade to Pro — snapshot restore, skill quarantine, git rollback, and automated protection sweeps. Get Pro access.

The Problem

AI agents read workspace files (SOUL.md, AGENTS.md, IDENTITY.md, memory files) on every session startup and trust them implicitly. Existing security tools scan skills before installation. Nothing monitors the workspace itself afterward.

A compromised skill, a malicious payload, or any process with file access can inject hidden instructions, embed exfiltration URLs, override safety boundaries, or plant persistent backdoors.

This skill detects all of these.

Install

# Clone
git clone https://github.com/AtlasPA/openclaw-warden.git

# Copy to your workspace skills directory
cp -r openclaw-warden ~/.openclaw/workspace/skills/

Usage

# Establish baseline
python3 scripts/integrity.py baseline

# Check for modifications + injections
python3 scripts/integrity.py full

# Quick health check
python3 scripts/integrity.py status

# Accept a legitimate change
python3 scripts/integrity.py accept SOUL.md

All commands accept --workspace /path/to/workspace. If omitted, auto-detects from $OPENCLAW_WORKSPACE, current directory, or ~/.openclaw/workspace.

What It Detects

Integrity Violations

  • Modified files (SHA-256 checksum comparison)
  • Deleted files
  • New untracked files

Prompt Injection Patterns

  • Instruction override — "ignore previous instructions", "you are now", "forget your instructions"
  • System prompt markers<system>, [SYSTEM], <<SYS>>, [INST]
  • Markdown exfiltration — Image tags with encoded data in URLs
  • Base64 payloads — Large encoded blobs outside code blocks
  • Unicode manipulation — Zero-width characters, RTL overrides, homoglyphs
  • HTML injection<script>, <iframe>, hidden elements
  • Shell injection$(...) subshell execution outside code blocks

Smart Detection

  • Respects markdown fenced code blocks (no false positives on documented examples)
  • Skips its own files (which describe injection patterns)
  • Distinguishes file categories: critical, memory, config, skills

File Categories

CategoryFilesAlert Level
CriticalSOUL.md, AGENTS.md, IDENTITY.md, USER.md, TOOLS.md, HEARTBEAT.mdWARNING
Memorymemory/*.md, MEMORY.mdINFO
Config*.json in workspace rootWARNING
Skillsskills/*/SKILL.mdWARNING

Injection patterns always trigger CRITICAL regardless of category.

Exit Codes

CodeMeaning
0Clean
1Modifications detected
2Injection patterns detected

Free vs Pro

FeatureFreePro
Baseline checksumsYesYes
Integrity verificationYesYes
Injection scanningYesYes
Snapshot restore-Yes
Git rollback-Yes
Skill quarantine-Yes
Automated protect-Yes
Session startup hook-Yes

Requirements

  • Python 3.8+
  • No external dependencies (stdlib only)
  • Cross-platform: Windows, macOS, Linux

License

MIT