openclaw-inter-instance
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution through the
nodes.runaction, which allows executing arbitrary shell commands on remote paired machines viabash -c. Evidence:nodes(action="run", node="<node-name>", command=["bash", "-c", "<command>"]). - [COMMAND_EXECUTION]: Provides templates for executing shell commands locally and remotely, including cloning external repositories and manipulating symlinks. Evidence:
env -u HTTP_PROXY -u HTTPS_PROXY git clone https://github.com/user/repo.git. - [PROMPT_INJECTION]: Contains explicit instructions to use 'CRITICAL IDENTITY' headers to override the built-in identity/persona of specific models (GLM-5). This is a bypass technique for model constraints. Evidence: 'GLM-5 Identity Override... solutions: in AGENTS.md top add CRITICAL IDENTITY forced declaration.'
- [DATA_EXFILTRATION]: References sensitive file system locations and configuration files that could contain credentials or system secrets. Evidence:
~/.openclaw/openclaw.json,~/.ssh, and workspace memory files. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes messages from other instances via
sessions_sendand file-based 'memory' buffers without defined sanitization. - Ingestion points: Remote instance messages (
sessions_send), memory files (memory/YYYY-MM-DD.md). - Boundary markers: None identified.
- Capability inventory: Arbitrary shell execution (
nodes.run), file write access, cross-instance messaging. - Sanitization: None identified.
Recommendations
- AI detected serious security threats
Audit Metadata