sre-runbooks
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is designed to fetch runbook steps from an external API (
api.openclaw.com) and execute them locally as automated scripts or API calls. - Evidence: 'Execute automated steps from runbooks, such as running scripts or API calls' and the POST endpoint
https://api.openclaw.com/sre-runbooks/v1/runbooks/{id}/execute. - [COMMAND_EXECUTION]: The skill uses a CLI tool (
sre-cli) and a programmatic library to run system-level commands and maintenance procedures. - Evidence: CLI commands like
sre-cli runbook getand Python calls likesre_runbooks.execute(id=123). - [EXTERNAL_DOWNLOADS]: The documentation instructs users to install external packages and SDKs from public registries that are not part of the trusted vendors list.
- Evidence: Instructions to run
npm install sre-runbooks-sdkand use thesre_runbooksPython module. - [DATA_EXFILTRATION]: The skill transmits system environment parameters and configuration overrides to a remote endpoint.
- Evidence: POST requests to
api.openclaw.comcontaining body data such as{"step": 1, "params": {"environment": "prod"}}. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from monitoring tools and external API responses to trigger actions.
- Ingestion points: External runbook content from
api.openclaw.comand alerts from integrated monitoring tools. - Boundary markers: No boundary markers or 'ignore' instructions are defined to separate untrusted data from the execution logic.
- Capability inventory: Capability to execute scripts and system commands via
sre-cliand the SDK execute function. - Sanitization: There is no mention of sanitization or validation for the content retrieved from external sources before execution.
Recommendations
- AI detected serious security threats
Audit Metadata