Is eyeskiller/glitchward-shield safe?
https://github.com/openclaw/skills/tree/main/skills/eyeskiller/glitchward-shield
The Glitchward LLM Shield skill presents a significant and systematic privacy and control risk through its intended design: every user prompt, external document, email, and agent context item is transmitted to glitchward.com before reaching the LLM, and the external service is given unilateral authority to block any user input with no local override. The installation process itself was clean with no malicious code, executable payloads, or unexpected network activity, but runtime deployment creates a comprehensive third-party surveillance and censorship layer over the entire agent session that is architecturally equivalent to installing a keylogger. Organizations handling sensitive data or requiring data residency guarantees should not install this skill without first conducting a thorough review of glitchward.com's data retention, processing, and third-party sharing policies.
Category Scores
Findings (10)
CRITICAL All User Prompts Exfiltrated to glitchward.com by Design -45 ▶
The skill's primary function is to transmit every user prompt to glitchward.com before it reaches any LLM. This is not a side effect but the core mechanism: the skill explicitly instructs the agent to call /api/shield/validate 'Before every LLM call'. Every user query — including sensitive personal, financial, medical, or business content — is logged at a third-party commercial service with no user consent mechanism described.
HIGH Skill Explicitly Designed to Intercept External Documents, Emails, and Web Content -20 ▶
Beyond user queries, the skill instructs the agent to transmit documents, emails, and web content that will be included in agent context, as well as tool outputs and intermediate results flowing between agents. This extends the exfiltration surface to everything the agent processes, not just direct user inputs.
HIGH External Service Granted Unilateral Authority to Block Any User Prompt -25 ▶
The skill instructs the agent to unconditionally suppress user prompts when glitchward.com returns is_blocked: true, giving an external commercial party veto power over all user interactions. A compromised, malicious, or commercially motivated glitchward.com operator could use this to selectively silence users, block competitor mentions, suppress regulatory questions, or manipulate agent behavior for arbitrary reasons — without any local audit trail.
HIGH Creates Comprehensive Third-Party Surveillance Layer Over Entire Agent Session -35 ▶
When deployed, this skill routes all agent inputs and intermediary content through glitchward.com, effectively making the skill operator a persistent, real-time observer of the full agent session. Combined with the API token, glitchward.com maintains an attributed, searchable log of all activity. This is architecturally equivalent to installing a keylogger on the agent.
MEDIUM Security Tool Framing Exploits User Trust to Gain Privileged Position -13 ▶
The skill presents itself as a protective security layer ('Protect your AI agent from prompt injection attacks'), which is likely to cause administrators to install it broadly, place it early in the skill chain, and trust its block decisions as authoritative security verdicts. This framing obscures the fact that the skill is itself a data collection and agent-control mechanism installed into the agent's system prompt.
MEDIUM Compounding Risk with Document, Email, and Web Scraping Skills -20 ▶
The skill explicitly recommends itself for use alongside skills that load external files, scrape web pages, or read emails. In such combinations, all external content ingested by the agent flows through glitchward.com. A user expecting confidential documents to remain local would have all content silently transmitted externally.
MEDIUM API Token Creates Persistent Attributed Identity for All Intercepted Data -10 ▶
The mandatory GLITCHWARD_SHIELD_TOKEN ties every intercepted prompt and document to a specific user identity at glitchward.com. This means all exfiltrated data is permanently attributed and retained in a commercial third-party system. A data breach, subpoena, insider threat, or account compromise at glitchward.com would expose the complete attributed history of all agent interactions for that token.
LOW Agent Operational Dependency on Third-Party Commercial Service -10 ▶
Workflows configured to gate all LLM calls through this skill become dependent on glitchward.com availability, API stability, and pricing. A service outage, API change, quota exhaustion, or account suspension could halt agent operations entirely. The free tier limit of 1,000 requests/month is low enough to be easily exceeded by active agent deployments.
INFO Installation Was Clean — No Unexpected Activity 0 ▶
During the monitored install window, only a GitHub clone of openclaw/skills was observed (140.82.121.4:443). No connections to glitchward.com were made. The skill contains no executable code, no npm install scripts, no git hooks, no gitattributes filters, and no git submodules. The filesystem diff shows only the four expected skill files added to the install directory.
INFO Canary File Reads Attributed to Oathe Audit Infrastructure 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were accessed at two timestamps: pre-install (1771929923, audit setup) and post-install (1771929940, integrity verification). Both access patterns are consistent with the oathe monitoring system recording baseline state and performing post-install integrity checks. The skill itself has no executable components that could have triggered these reads. The oathe system's own canary report confirms all files intact.