openclaw-maintain
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The skill implements an update mechanism (
openclaw update) that fetches and executes code from remote repositories (git/npm). Since the source is not a pre-defined trusted entity, this represents an unverified remote code execution vector. - Persistence Mechanisms (HIGH): Multiple persistence vectors are provided:
openclaw daemon installmodifies system initialization paths (~/Library/LaunchAgents/on macOS,~/.config/systemd/user/on Linux) to ensure the gateway service starts automatically.openclaw cron addallows for the scheduling of recurring commands, which can be used to maintain access or execute malicious payloads periodically.- Indirect Prompt Injection (HIGH): The skill possesses a significant injection surface with high-impact capabilities:
- Ingestion points:
openclaw logs(SKILL.md),openclaw sessions --json(maintenance-playbooks.md), andopenclaw memory status(SKILL.md) all ingest data that likely contains untrusted content from external network requests or user-controlled files. - Capability inventory: The skill can execute arbitrary subcommands via
openclaw, restart services, delete files (rm -fin playbooks), and modify system scheduling. - Boundary markers: There are no instructions or delimiters provided to the agent to ignore natural language instructions found within logs or session data.
- Sanitization: No evidence of sanitization or validation of the data being read before it is processed by the agent.
- Command Execution (MEDIUM): The allowed-tools list includes broad wildcards (
Bash(openclaw *)) which grants the agent significant control over the host environment, including service lifecycle and file manipulation.
Recommendations
- AI detected serious security threats
Audit Metadata