openclaw-inter-instance

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The content explicitly documents mechanisms for remote command execution (nodes.run), agent-to-agent command-and-control (sessions_send), and file-backed messaging that can be used as covert channels or persistence — enabling backdoor/C2 and data-exfiltration workflows even though it contains no direct payloads or explicit credential-stealing code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs using nodes.run to clone public repositories (e.g., "git clone https://github.com/user/repo.git") and to sync workspace/skills from those repos, which causes the agent to fetch and consume arbitrary public, user-controlled code/files that could alter behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a nodes.run example that clones a remote git repository at https://github.com/user/repo.git at runtime (and the recommended architecture links ~/AGI-Super-Skills into the agent workspace), meaning fetched repo contents can supply/alter skills or executable code that control agent prompts/behavior.