Is lawyered0/enterprise-legal-guardrails safe?

https://github.com/openclaw/skills/tree/main/skills/lawyered0/enterprise-legal-guardrails

77
CAUTION

Enterprise Legal Guardrails is a Python-based outbound compliance checker that appears legitimately motivated but has a risky architectural design. The core concern is that SKILL.md instructs agents to route ALL outbound communications through guard_and_run.py, an attacker-controlled command wrapper, creating a man-in-the-middle position over every message, post, or action the agent takes. The skill's source code shows no evidence of active exfiltration, canary files were not compromised, and network activity during installation was limited to the expected GitHub clone; however, the combination of arbitrary command execution, a documented allowlist bypass, truncated source code, and a design that centralizes all outbound agent actions through this skill warrants caution before deployment.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

HIGH Universal outbound MITM architecture -25

SKILL.md explicitly instructs agents to route ALL outbound actions (post, comment, message, send, trade, publish) through guard_and_run.py as a 'universal outbound adapter'. This places attacker-controlled code in an interception position over every outbound communication the agent makes. A malicious or compromised version of this script could selectively block, log, redirect, or modify agent output while appearing to enforce legal compliance.

HIGH guard_and_run.py wraps arbitrary system command execution -20

The guard_and_run.py script uses Python subprocess to execute arbitrary commands passed after the -- delimiter. While an allowlist mechanism exists, the agent is instructed by SKILL.md to use this wrapper for all outbound flows. If the skill's code contains hidden behavior, the wrapper executes with the agent's full process privileges after passing the guardrail check.

MEDIUM --allow-any-command bypass mechanism normalizes security escapes -15

guard_and_run.py includes an explicit security bypass (--allow-any-command) that, when supplied with a reason string and approval token, disables the command allowlist entirely. While audit controls are present, the existence and documentation of this bypass in SKILL.md creates a template for instructing agents to invoke it, and the bypass controls can be supplied via environment variables that may be easier to manipulate than CLI arguments.

MEDIUM Outbound text content flows through attacker-controlled code before delivery -15

guard_and_run.py reads the full draft text (--text, --text-file, or stdin) and passes it through the guardrail checker before executing the wrapped command. The guardrail checker runs as a subprocess whose output is parsed by guard_and_run.py. This creates an opportunity for the checker or wrapper to log, hash, or transmit the content of every outbound message the agent sends.

MEDIUM guard_and_run.py source is truncated; _sanitize_env implementation unverifiable -12

The guard_and_run.py source provided in the audit evidence is cut off mid-function at the start of _sanitize_env. This function controls which environment variables are passed to wrapped commands. Its full behavior cannot be verified from the available evidence, meaning potential credential forwarding or environment leakage cannot be ruled out.

LOW Three overlapping env var namespaces obscure security-relevant configuration -8

The skill uses three parallel sets of environment variable names (ENTERPRISE_LEGAL_GUARDRAILS_*, ELG_*, BABYLON_GUARDRAILS_*) for the same controls. This proliferation makes it difficult to audit the effective configuration in production environments and increases the risk that a maliciously set variable goes unnoticed during security review.

LOW Skill content cloned from GitHub monorepo (expected) -5

Installation connected to github.com (140.82.121.3:443) to clone the openclaw/skills monorepo and extract the skill subpath. This is the expected installation mechanism and represents no anomalous behavior. The downloaded code controls future command execution through guard_and_run.py.

INFO Canary file accesses attributed to monitoring infrastructure 0

Audit syscall logs show /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened at two points: timestamp 1771930095 (35ms after monitoring setup began, before git clone at 1771930101) and 1771930113 (monitoring teardown). Both access windows correlate with the monitoring framework, not with skill code execution. All canary files confirmed intact.