openclaw-setup
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill directs the agent to download and execute shell scripts from an untrusted source (
https://openclaw.ai/install.sh) by piping them directly tobash. This pattern bypasses security validation of the remote content. - [COMMAND_EXECUTION]: The installation workflow involves executing multiple system-level commands, including global npm package installations, service management via
launchctl, and modifying firewall configurations (ufw). - [PROMPT_INJECTION]: The skill configures the agent to ingest data from messaging channels like Telegram and iMessage, introducing a risk of indirect prompt injection.
- Ingestion points: External messages received through Telegram and the macOS Messages database (
references/telegram-channel.md,references/imessage-channel.md). - Boundary markers: The skill suggests using
dmPolicy: "pairing"andrequireMention: trueto restrict access, though these do not fully sanitize incoming data. - Capability inventory: The setup environment grants access to shell execution (
/bash), file system writes, and network operations. - Sanitization: There is no evidence of explicit sanitization or filtering of external input before it is processed by the agent's logic.
- [EXTERNAL_DOWNLOADS]: Fetches installation scripts and software from well-known services including Docker (
get.docker.com), Tailscale (tailscale.com), Homebrew, and nvm.
Recommendations
- HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata