openclaw-docs-audit
Fail
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
SKILL.mdfile contains instructions to execute a remote script using the commandcurl -fsSL https://openclaw.ai/install.sh | bash. This allows an untrusted third-party server to execute arbitrary commands on the user's system without prior verification or safety checks. - [COMMAND_EXECUTION]: The skill uses dynamic shell execution in
SKILL.mdandscripts/audit.shto locate and run audit scripts. It searches for script paths usinglsandhead(e.g.,bash "$AUDIT" --instances), which could lead to executing unexpected files if the environment is compromised. - [DATA_EXFILTRATION]: The skill accesses sensitive agent configuration directories (
~/.claude/skills/and~/.codex/skills/) to find and read skill files. Accessing the storage paths of other skills is a privacy and security concern as it exposes the agent's internal workspace. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches release notes from a public GitHub repository (
openclaw/openclaw) and provides them to the agent for analysis without sanitization. Malicious instructions embedded in upstream release bodies could be used to manipulate the agent's behavior during the audit process. - Ingestion points: The
scripts/audit.shfile fetches release bodies viagh release view <tag> --json body. - Boundary markers: None identified; the content is passed directly into the agent's context.
- Capability inventory: The skill has the ability to execute shell commands and read files across multiple skill directories.
- Sanitization: No sanitization or filtering is performed on the fetched release note content.
Recommendations
- HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata