openclaw-doctor
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8). It ingests content from various workspace files (e.g., USER.md, HEARTBEAT.md) and command outputs without sanitization. An attacker who can write to these files can influence the generated Health Report or the Quick Fix Script. 1. Ingestion points: Multiple files in ~/.openclaw/workspace/ and CLI output from openclaw and tailscale commands. 2. Boundary markers: None present; the agent processes the raw content of these files. 3. Capability inventory: Full access to openclaw and tailscale CLI tools via Bash. 4. Sanitization: None identified.
- [COMMAND_EXECUTION] (HIGH): The skill is granted broad permissions to execute any subcommand of openclaw and tailscale (e.g., Bash(openclaw *)). While the skill instructions claim to be read-only, the underlying tool permissions allow for system modification if the agent is redirected by an injection attack.
- [DATA_EXFILTRATION] (MEDIUM): The skill performs reconnaissance on sensitive credential and configuration files such as auth-profiles.json and the credentials directory. This exposure creates a significant risk if the agent is compromised and used to identify targets for data theft.
Recommendations
- AI detected serious security threats
Audit Metadata