Skills
skills/build000r/skills/openclaw-client-bootstrap/Gen Agent Trust Hub

openclaw-client-bootstrap

Fail

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The installation and bootstrap scripts use the piped-to-shell pattern to execute remote code from external sources.
  • Evidence: assets/client-kit/scripts/01-bootstrap-do.sh executes curl -fsSL https://deb.nodesource.com/setup_22.x | bash to install Node.js.
  • Evidence: assets/client-kit/scripts/02-install-tailscale.sh executes curl -fsSL https://tailscale.com/install.sh | sh to install Tailscale.
  • Evidence: assets/client-kit/scripts/03-install-openclaw.sh executes curl -fsSL https://openclaw.ai/install.sh | bash to install the OpenClaw CLI.
  • [COMMAND_EXECUTION]: The skill generates and executes shell commands on remote hosts via SSH for configuration and management.
  • Evidence: scripts/talk.sh and scripts/update-oauth-token.sh construct complex shell strings containing environment variables and logic, which are then piped to ssh for remote execution.
  • Evidence: assets/client-kit/scripts/05-setup-collab-tmux.sh and other bootstrap scripts use sudo to perform high-privilege system operations, such as modifying /etc/ssh/sshd_config.d/ and enabling system services.
  • [EXTERNAL_DOWNLOADS]: Fetches binaries and repository configurations from various external sources.
  • Evidence: Fetches Node.js distribution from deb.nodesource.com and Docker keys/repositories from download.docker.com.
  • Evidence: Fetches Tailscale components from tailscale.com.
  • [CREDENTIALS_UNSAFE]: The update-oauth-token.sh script is designed to read local sensitive files (like ~/.codex/auth.json) and transmit the extracted tokens to a remote droplet to update environment variables.
  • [INDIRECT_PROMPT_INJECTION]: The skill establishes an attack surface where the agent's behavior is guided by markdown files (SOUL.md, AGENTS.md) and tool outputs that could potentially be influenced by untrusted data if the server is compromised.
  • Ingestion points: openclaw.json, SOUL.md, AGENTS.md, and USER.md (read from the filesystem at runtime).
  • Boundary markers: The skill encourages the use of an allowlist for commands (tools.exec.security: "allowlist") and explicit human approval (ask: "always") for execution, which serves as a significant security control.
  • Capability inventory: File reading, subprocess execution via exec (gated), and network operations via the gateway.
  • Sanitization: No explicit content sanitization is described for the prompts derived from the identity files.
Recommendations
  • HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh, https://deb.nodesource.com/setup_22.x, https://tailscale.com/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 5, 2026, 12:53 AM