Local Model Prompt Injection Scanner for AI Skills Security

✍️ OpenClawRadar📅 Published: March 20, 2026🔗 Source
Local Model Prompt Injection Scanner for AI Skills Security
Ad

Security Vulnerability in AI Skills

A discussion on X highlighted a serious security flaw in third-party AI skills. Claude Code supports the ! operator to execute bash commands directly within skills, but these operators can be hidden in HTML tags, leading to bash executions that the LLM might not be aware of.

Local Scanner Implementation

A proof-of-concept tool has been built to scan skills for potential malware injection at installation time. The scanner uses a non-tool-calling model running locally, specifically mistral-small:latest on Ollama. The creator reports it "worked like a charm" during testing.

The approach functions similarly to a virus scanner and could be integrated into a future "skill installer" product. Protection against prompt injection is identified as a promising application for local models.

Technical Details

The vulnerability involves the ! operator in Claude Code that allows direct bash command execution. Attackers can hide these operators within HTML tags, potentially executing malicious commands without the LLM's knowledge. The scanner addresses this by analyzing skills before installation to detect such hidden injections.

📖 Read the full source: r/LocalLLaMA

Ad

👀 See Also

13 Words on Reddit Can Manipulate AI Search: Cornell Research
Security

13 Words on Reddit Can Manipulate AI Search: Cornell Research

Cornell research shows that a 13-word snippet on Reddit or Wikipedia can reliably poison AI search agents. Half of all AI citations come from UGC sites, making it trivially easy for brands to inject promotional content.

OpenClawRadar
Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials
Security

Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials

The litellm PyPI package, which unifies calls to OpenAI, Anthropic, Cohere and other LLM providers, was compromised with malicious version 1.82.8 that exfiltrated SSH keys, cloud credentials, API keys, and other sensitive data for about an hour.

OpenClawRadar
OpenClaw Security Gap Addressed by Agentic Power of Attorney (APOA) Spec
Security

OpenClaw Security Gap Addressed by Agentic Power of Attorney (APOA) Spec

A developer has published an open specification called Agentic Power of Attorney (APOA) to address security concerns in OpenClaw, where agents currently access services like email and calendar with only natural language instructions as guardrails. The spec proposes per-service permissions, time-bounded access, audit trails, revocation, and credential isolation.

OpenClawRadar
Malicious Google Ad Targets Claude Code Installation
Security

Malicious Google Ad Targets Claude Code Installation

A malicious Google ad appears as the top result for 'install claude code' searches, attempting to trick users into running suspicious terminal commands. The ad was still active as of March 15, 2026, and the author narrowly avoided executing the code.

OpenClawRadar