openclaw-control-center
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions direct users to clone a repository from an unverified GitHub account (
TianyiDataScience/openclaw-control-center), which is not part of the trusted vendors list. This repository contains all the application logic and UI components. - [COMMAND_EXECUTION]: The installation process requires executing multiple shell commands, including
npm install,npm run build, andnpm run dev:ui. These commands execute scripts from the external repository, providing a path for arbitrary code execution on the user's system. - [DATA_EXFILTRATION]: The skill is designed to read sensitive local files, specifically
~/.openclaw/openclaw.jsonand~/.openclaw/local-token. Accessing these files poses a risk of credential exposure or data exfiltration if the local server or the underlying code contains malicious logic. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by ingesting and displaying untrusted data from agent execution chains, collaboration traces, and task outputs. Malicious instructions embedded in these data sources could potentially influence the agent or the user's perception of the system state.
- Ingestion points: Reading agent staff status, collaboration traces, and task boards via the
StaffConnector,CollaborationTracer, andTaskConnector(documented in SKILL.md). - Boundary markers: None mentioned in the provided documentation.
- Capability inventory: Subprocess calls for build/test/run, file-system access to
~/.openclaw, and network operations viafetch(documented in SKILL.md). - Sanitization: Not explicitly documented; the skill is described as "readonly defaults," but this does not prevent injection within the UI context.
Audit Metadata