openclaw-client-bootstrap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes runtime skills that explicitly fetch and interpret public user-generated content (e.g., assets/instances/0_claw/custom-skills/find-customers-openclawth/SKILL.md and unclawg-discover/SKILL.md call wrapper commands to query Reddit, Hacker News, Twitter/X, and LinkedIn), and those results are used to rank candidates and generate approval/action proposals—meeting the criteria for ingesting untrusted third‑party content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The kit's install scripts fetch-and-execute remote installers at runtime (curl -fsSL https://deb.nodesource.com/setup_22.x | bash, curl -fsSL https://tailscale.com/install.sh | sh, and curl -fsSL https://openclaw.ai/install.sh | bash), which run remote code required for the deployment and therefore represent a high-confidence runtime risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly guides running bootstrap and install scripts on droplets that install system services, modify systemd units, adjust firewalls/Tailscale settings, and manage non-root system users and credentials — all actions that change machine state and require privileged/system-level modifications.