higress-openclaw-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to collect API keys from the user and to include them verbatim in commands and config invocations (e.g., ---key , examples like --zhipuai-key sk-xxx and ./get-ai-gateway.sh config add --provider --key ), which requires the LLM to output secret values directly.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). The presence of a direct downloadable/ executable shell script on a non-major / not widely-known domain (https://higress.ai/ai-gateway/install.sh) is a high-risk indicator for malware distribution, while the other URLs are local endpoints (localhost) and not external download sources.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill fetches and ingests untrusted third-party content: SKILL.md instructs downloading https://higress.ai/ai-gateway/install.sh and scripts/plugin/index.ts calls fetchAvailableModels(consoleUrl) to GET consoleUrl/v1/ai/routes (user-supplied/open URLs) and then uses that model data to build default models and configuration, so external content can directly change agent configuration and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly downloads and then executes a remote installer script at https://higress.ai/ai-gateway/install.sh (curl ... -o get-ai-gateway.sh && ./get-ai-gateway.sh), which is a runtime external dependency that runs remote code and is required for deployment.