20 Agent Security Questions

What This Skill Does

The 20 Agent Security Questions skill, developed by caidongyun, is a specialized tool designed for systematic capture, classification, and analysis of issues encountered during AI Agent workflows. As AI agents become more deeply integrated into professional environments, identifying and mitigating security vulnerabilities, mechanism failures, and output inconsistencies becomes paramount. This skill provides a structured framework to collect granular feedback, perform risk analysis, and bridge the gap between ad-hoc troubleshooting and long-term knowledge management. By turning runtime errors or security red flags into structured research topics, it enables developers and operators to build a robust "lessons learned" database, facilitating continuous improvement of the Agent's performance and security posture.

Installation

To integrate this skill into your OpenClaw environment, execute the following command in your terminal:

clawhub install openclaw/skills/skills/caidongyun/20-agent-security-questions

Ensure that your OpenClaw environment has the necessary directory write permissions, as the skill stores question data locally for analysis and reporting.

Use Cases

• Security Auditing: Log and investigate potential prompt injection attempts or data exfiltration risks detected during agent-user interaction.
• Performance Debugging: Document instances where the Agent fails to follow logic or produces hallucinations, allowing for later root cause analysis.
• Human-in-the-loop Optimization: Track communication breakdowns where the agent fails to understand user intent or context, helping to refine future system prompts.
• Research & Development: Automate the transformation of recurring issues into actionable research tasks for future model fine-tuning or architectural updates.

Example Prompts

1. "./src/questions.sh add 'Agent attempted to access system environment variables without explicit permission during the JSON parsing phase.'"
2. "./src/questions.sh list"
3. "./src/questions.sh analyze"

Tips & Limitations

• Consistency: Use the add function immediately after observing an issue to ensure the description includes relevant environmental context.
• Data Privacy: Ensure that the 'problem descriptions' you input do not contain sensitive PII (Personally Identifiable Information) or plain-text credentials.
• Storage: This skill stores data locally. Regularly back up your local questions.json or database file to avoid losing your historical analysis.
• Manual Oversight: While this tool provides an analytical framework, the final determination of 'security risk' should be reviewed by a human expert. Do not rely on the automated analysis as a replacement for formal security penetration testing.