openclaw-extend
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The
openclaw plugins installandopenclaw hooks installcommands allow the agent to download and load executable code from arbitrary external URLs (e.g.,.tar.gzfiles) and npm packages. This code runs with the same privileges as the OpenClaw gateway process. - COMMAND_EXECUTION (HIGH): The skill enables remote shell execution on paired devices via
openclaw nodes run <node> <cmd>. While some commands are platform-restricted, the capability represents a massive privilege surface. - EXTERNAL_DOWNLOADS (HIGH): The skill documentation explicitly instructs the agent to fetch and install software from untrusted third-party network locations.
- CREDENTIALS_UNSAFE (MEDIUM): The skill is designed to manage and store highly sensitive credentials, including Telegram bot tokens, Discord bot tokens, and Matrix access tokens, which are prone to exposure if the agent's context is compromised.
- DATA_EXFILTRATION (MEDIUM): Commands such as
openclaw nodes screen,openclaw nodes camera, andopenclaw nodes locationallow for the collection of sensitive environmental and personal data from remote nodes. - INDIRECT PROMPT INJECTION (HIGH): The skill's primary ingestion point for external data (the plugin/hook installation spec) directly leads to code execution without any documented validation or sanitization, making it highly vulnerable to malicious payloads delivered via third-party integrations.
Recommendations
- AI detected serious security threats
Audit Metadata