openclaw-inter-instance
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation explicitly instructs on the use of the
nodes.runtool to execute arbitrary shell commands on remote instances usingbash -c. Evidence includes templates for checking files, cloning repositories, and managing symlinks. - [REMOTE_CODE_EXECUTION]: By design, the skill provides a mechanism for cross-machine remote code execution. It suggests using
env -uto bypass proxy settings duringgit cloneoperations from external sources and provides methods to inject messages directly into remote agent sessions. - [PROMPT_INJECTION]: The 'GLM-5 Identity Overwrite' section contains instructions to use
CRITICAL IDENTITYforced declarations to override the AI's internal persona or safety constraints ('Kiro'人设). This represents a direct attempt to manipulate and bypass default agent behavior. - [DATA_EXFILTRATION]: The skill's primary functions involve moving data across network boundaries, including syncing repositories and accessing remote 'memory' directories, which could be leveraged to exfiltrate sensitive information from a compromised instance.
- [INDIRECT_PROMPT_INJECTION]: The 'File-level communication' strategy involves writing instructions directly into the workspace memory files (
memory/YYYY-MM-DD.md) of other instances. - Ingestion points: Remote instance memory files (
memory/*.md) and session message streams. - Boundary markers: None specified in the instructions.
- Capability inventory: Remote shell execution (
nodes.run), session messaging (sessions_send), and file writing. - Sanitization: No sanitization or validation of the messages being passed between instances is described.
Recommendations
- AI detected serious security threats
Audit Metadata