首页龙虾技能列表 › AI-Warden — Prompt Injection Protection

AI-Warden — Prompt Injection Protection

v1.4.1

Install, configure, and manage the AI-Warden prompt injection protection plugin for OpenClaw. Publisher: AI-Warden (ai-warden.io). Source: github.com/ai-ward...

1· 129·0 当前·0 累计
by @ai-warden·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/6
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
安全
medium confidence
The skill's instructions and requirements are consistent with installing and configuring an OpenClaw plugin, but it performs a network install of a third‑party npm package and modifies your OpenClaw config so you should verify the upstream package and repository before proceeding.
评估建议
This SKILL.md is coherent for installing an OpenClaw plugin, but take these precautions before running it: (1) Verify the package and repository yourself—visit the GitHub repo (https://github.com/ai-warden/openclaw-plugin) and the npm page to ensure publisher legitimacy; the registry metadata in the skill omitted a homepage which is worth confirming. (2) Inspect the installed package in node_modules (and any install scripts) before copying files into ~/.openclaw/extensions; npm install can run a...
详细分析 ▾
用途与能力
The name/description (install and manage an AI‑Warden plugin) matches the actions in SKILL.md: creating an extension directory, npm installing openclaw-ai-warden, copying plugin files into the extensions root, and patching ~/.openclaw/openclaw.json to register the plugin. The optional AI_WARDEN_API_KEY is appropriate for an online detection service.
指令范围
Instructions are explicit and limited to plugin installation and configuration: they read and write ~/.openclaw/openclaw.json, write into ~/.openclaw/extensions/ai-warden/, run npm install, and optionally add an API key either as an env var or in the config file. This is expected for a plugin installer, but it does grant the installation the ability to download and place executable plugin code and to persist a secret in your config file (Option B). The SKILL.md does include safety steps (backup, package provenance checks), which is good practice.
安装机制
There is no automated install spec in the registry; the SKILL.md instructs a manual npm install from the public npm registry. Using npm is a common and reasonably traceable method, but npm packages can run install scripts and may contain malicious code. The instructions recommend verifying repository URL and dist.shasum via npm info, which helps but does not eliminate risk. No arbitrary URL downloads or URL shorteners are used.
凭证需求
No credentials are required by default. The optional AI_WARDEN_API_KEY is proportional to the advertised online-detection feature. The skill explicitly offers both env var storage (recommended) and storing the key in openclaw.json (with a chmod 600 suggestion). Storing secrets in the config is convenient but increases exposure; the skill documents this trade-off.
持久化与权限
The skill modifies the agent's ~/.openclaw/openclaw.json to register and enable the plugin so the plugin will persist and be loaded automatically. This is expected behavior for installing a plugin. Because the plugin code will be placed under ~/.openclaw/extensions, it becomes a persistent component that the agent may invoke autonomously (the platform default). This persistence is appropriate for the stated purpose but increases the importance of verifying the plugin's provenance.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.4.12026/3/25

**Skill metadata and install instructions updated for improved security and clarity.** - Added explicit package versioning (`openclaw-ai-warden@2.4.0`) and NPM provenance/integrity verification steps. - Installation steps now require version checks and shasum verification for supply chain security. - Install manifest specifies required Node.js version, NPM, and optional `AI_WARDEN_API_KEY` environment variable. - Clarified instructions regarding the use of `plugins.allow` in configuration. - Updated all install and update commands to reference the new required package version. - No changes to runtime logic—documentation improvements and best practices only.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install ai-warden-setup
镜像加速npx clawhub@latest install ai-warden-setup --registry https://cn.clawhub-mirror.com

技能文档

Prompt injection protection for OpenClaw agents. 5 security shields + contamination lockdown.

Requirements

  • OpenClaw 2026.3.14+ (including 4.x)
  • Node.js 18+
  • npm (bundled with Node.js)

Installation — FOLLOW THESE STEPS IN ORDER

Each step is a separate command. Run them one at a time and verify output before proceeding.

Step 0: Back up config

cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak && echo "BACKUP OK"

Verify: Output is BACKUP OK.

Step 1: Create extension directory

mkdir -p ~/.openclaw/extensions/ai-warden

echo '{"private":true}' > ~/.openclaw/extensions/ai-warden/package.json

Verify: No errors.

Step 2: Install npm package

cd ~/.openclaw/extensions/ai-warden && npm install openclaw-ai-warden@2.4.0

Verify: No errors and no audit warnings. Inspect the installed package before proceeding:

ls node_modules/openclaw-ai-warden/

cat node_modules/openclaw-ai-warden/package.json | grep -E '"name"|"version"'

Confirm the package name is openclaw-ai-warden and version is 2.4.0.

Provenance check — verify the package matches the upstream source:

npm info openclaw-ai-warden repository.url

Expected: https://github.com/ai-warden/openclaw-plugin

npm info openclaw-ai-warden dist.shasum

Compare the shasum with what npm installed:

cat node_modules/openclaw-ai-warden/package.json | grep _shasum

Step 3: Copy plugin files to extension root

OpenClaw loads plugins from the extension directory root, not from node_modules.

cd ~/.openclaw/extensions/ai-warden

cp node_modules/openclaw-ai-warden/index.ts .

cp node_modules/openclaw-ai-warden/openclaw.plugin.json .

cp -r node_modules/openclaw-ai-warden/src .

grep VERSION index.ts | head -1

Verify: Output shows const VERSION = followed by the version number.

Step 4: Configure OpenClaw

This patches openclaw.json to register the plugin. It preserves all existing config (channels, model, gateway settings).

node -e "
const fs = require('fs');
const p = process.env.HOME + '/.openclaw/openclaw.json';
const cfg = JSON.parse(fs.readFileSync(p, 'utf8'));
if (!cfg.plugins) cfg.plugins = {};
cfg.plugins.enabled = true;
if (!cfg.plugins.entries) cfg.plugins.entries = {};
cfg.plugins.entries['ai-warden'] = {
  enabled: true,
  config: {
    layers: { content: 'block', channel: 'warn', preLlm: 'off', toolArgs: 'block', subagents: 'block', output: 'off' },
    sensitivity: 'balanced'
  }
};
fs.writeFileSync(p, JSON.stringify(cfg, null, 2));
console.log('CONFIG OK');
"

Verify: Output is CONFIG OK.

Note: This registers the plugin via plugins.entries only. If you use plugins.allow in your config to restrict which plugins can load, you must add "ai-warden" to that list yourself. If you don't use plugins.allow, no action is needed — the plugin loads automatically from plugins.entries.

Step 5: Add API key (optional)

For online detection (98.9% accuracy vs ~60% offline), add your API key.

Option A — Environment variable (recommended, key not stored in config file):

Set AI_WARDEN_API_KEY in your shell profile or systemd service:

# For systemd (e.g., OpenClaw gateway service):
# Add to your service override: Environment=AI_WARDEN_API_KEY=your_key_here
# For shell:
export AI_WARDEN_API_KEY=your_key_here

Option B — Config file (simpler, key stored in openclaw.json):

node -e "
const fs = require('fs');
const p = process.env.HOME + '/.openclaw/openclaw.json';
const cfg = JSON.parse(fs.readFileSync(p, 'utf8'));
cfg.plugins.entries['ai-warden'].config.apiKey = 'YOUR_API_KEY_HERE';
fs.writeFileSync(p, JSON.stringify(cfg, null, 2));
// Restrict file permissions (config contains API key)
fs.chmodSync(p, 0o600);
console.log('API KEY ADDED (file permissions set to 600)');
"

Replace YOUR_API_KEY_HERE with your actual key from ai-warden.io/signup.

Verify: Output is API KEY ADDED (file permissions set to 600).

Step 6: Restart gateway

openclaw gateway restart

Step 7: Verify installation

After restart, check logs or send /warden command. Expected output:

🛡️ AI-Warden v2.4.0 ready (mode: api|offline, layers: X/6)
  • mode: api = online detection (98.9% accuracy)
  • mode: offline = local-only detection (~60% accuracy)

If something breaks, restore config:

cp ~/.openclaw/openclaw.json.bak ~/.openclaw/openclaw.json && openclaw gateway restart

DO NOT

  • Do NOT use edit tool on openclaw.json — JSON whitespace matching is fragile
  • Do NOT use config.patch with nested objects — it often fails with format errors
  • Do NOT skip the cp step — OpenClaw loads from the extension directory, not node_modules
  • Do NOT restart multiple times — wait at least 15 seconds between restarts
  • If you use plugins.allow, remember to add "ai-warden" to the list — otherwise the plugin won't load

Updating

cd ~/.openclaw/extensions/ai-warden

npm install openclaw-ai-warden@2.4.0

cp node_modules/openclaw-ai-warden/index.ts .

cp -r node_modules/openclaw-ai-warden/src .

openclaw gateway restart

Security Shields

ShieldProtects againstDefaultMechanism
File Shield 🔴Poisoned files & web pagesblockScans tool results, injects warning, triggers contamination lockdown on CRITICAL
Chat Shield 🔴Injections in user messageswarnScans inbound messages, warns LLM
System ShieldFull context manipulationoffScans all messages (expensive, use sparingly)
Tool Shield 🔴Malicious tool argumentsblockBlocks tool execution if arguments contain injection
Agent Shield 🔴Sub-agent attack chainsblockScans task text of spawned sub-agents

Contamination Lockdown

When File Shield detects a CRITICAL threat (score >500), the session is flagged as contaminated. All dangerous tools (exec, write, edit, message, sessions_send, sessions_spawn, tts) are blocked for the rest of the session. This prevents attack payloads from executing even if the injection bypasses the LLM warning.

Runtime Commands

/warden                      → status overview with all shields
/warden stats                → scan/block counts
/warden shield file block    → set File Shield to block mode
/warden shield chat warn     → set Chat Shield to warn mode
/warden reset                → reset statistics

Detection Modes

ModeAccuracyLatencyCost
Offline (no key)~60%<1msFree
API (Smart Cascade)98.9%~3ms avgFree tier: 5K calls/month
Get API key: ai-warden.io/signup

Troubleshooting

  • "plugin not found": openclaw.plugin.json missing from extension dir. Re-run Step 3.
  • Channels not loading after install: If you use plugins.allow, ensure all your channel plugins (e.g. telegram) are also listed there alongside ai-warden.
  • False positives on user messages: Set Chat Shield to warn (default) instead of block.
  • File Shield detects but doesn't block: API key required for reliable blocking (98.9% vs 60%).
  • Config errors after install: Restore backup: cp ~/.openclaw/openclaw.json.bak ~/.openclaw/openclaw.json
  • Bot won't start: Check journalctl -u openclaw-gateway -n 20 for actual error.
  • Workspace files flagged: Plugin auto-whitelists .openclaw/workspace/ and .openclaw/agents/ paths.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务