openclaw-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted, user-generated third-party content — e.g., Telegram group/history messages are loaded as session context ("History Injection" in references/telegram-channel.md) and web search results (Brave Search/Tavily in references/mac-local-setup.md and references/anthropic-auth.md) are integrated into agent workflows, so external content can influence decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's recommended installation runs a remote install script that is fetched and executed at setup time—curl -fsSL https://openclaw.ai/install.sh | bash—so https://openclaw.ai/install.sh is a runtime-fetched dependency that executes remote code and is required for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs running a remote installer (curl | bash), installing a system daemon, adjusting Docker port bindings and service/runtime settings that modify system-level configuration (likely requiring sudo or changing system files), so it encourages actions that compromise the machine state.