hiclaw-test

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly clones the public GitHub repo and—more importantly—runs scripts (scripts/hiclaw-debug.sh and its embedded Python) that ingest and parse debug output including a matrix-messages directory containing user-generated Matrix chat JSONL files (produced by export-debug-log.py) and uses message bodies to drive hang analysis and recommendations, so untrusted third-party/user content is read and can influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The run-hiclaw-test.sh and SKILL.md explicitly perform a runtime git clone of https://github.com/alibaba/hiclaw.git and then run its Makefile, test scripts (e.g., make test, ./tests/run-all-tests.sh) and Python scripts, meaning fetched repository content is executed and controls the agent's runtime behavior.