token-guard
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Unsafe command construction in
scripts/token-guard.sh. The script usespython3 -cto process data but interpolates shell variables directly into the Python code string (e.g., incmd_log,cmd_set_budget, andcmd_estimate). A malicious input containing single quotes could execute arbitrary Python code. Additionally, the_switch_modelfunction performs acurlrequest where the$new_modelvariable is interpolated directly into a JSON payload, allowing for JSON injection that could overwrite sensitive agent configuration settings.\n- [DATA_EXFILTRATION]: Access to sensitive configuration files. The script reads from$HOME/.clawdbot/clawdbot.jsonand$HOME/.openclaw/openclaw.json. These files typically contain API keys and sensitive credentials for AI providers. While the script currently uses this data locally, accessing these files is a high-risk operation that can lead to credential exposure if the script output is captured.\n- [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface.\n - Ingestion points:
scripts/token-guard.sharguments (model, source, budget values) that may be populated from untrusted agent outputs or task results.\n - Boundary markers: Absent. No delimiters or instructions are used to separate user data from command logic.\n
- Capability inventory: Subprocess calls via
python3 -c, file system writes to$STATE_DIR, and local network requests viacurlto the gateway configuration API.\n - Sanitization: Absent. No escaping, validation, or sanitization is performed on shell variables before they are interpolated into Python commands or JSON payloads.
Recommendations
- AI detected serious security threats
Audit Metadata