openclaw-config
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides instructions and specific command-line templates to access and verify sensitive credential directories located at
~/.openclaw/credentials/. This includes WhatsApp session keys, Telegram bot tokens, and Twitter/X authentication cookies. - [COMMAND_EXECUTION]: The skill includes numerous bash command blocks designed for system health checks, process monitoring, and database inspection using tools such as
ps,grep,jq, andsqlite3. - [EXTERNAL_DOWNLOADS]: The skill enables the installation of third-party extensions and skills through the
clawdhubregistry and remote Git repositories usingnpx add-skill, which can lead to the execution of unverified external code. - [PROMPT_INJECTION]: The skill facilitates the management of a system that ingests untrusted data from external messaging channels, presenting an indirect prompt injection surface:
- Ingestion points: Reads inbound messages from WhatsApp, Signal, and Telegram, which are stored in session logs at
~/.openclaw/agents/main/sessions/. - Boundary markers: No boundary markers or instructions to ignore embedded commands are documented for the message ingestion process.
- Capability inventory: The system has capabilities for shell command execution, configuration file modification, and external API interaction via plugins.
- Sanitization: There is no evidence of sanitization or validation of the processed message content.
Recommendations
- AI detected serious security threats
Audit Metadata