Skills
skills/build000r/skills/unclawg-respond/Gen Agent Trust Hub

unclawg-respond

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/uc_respond executes external commands via subprocess.run based on the values of the OPENCLAW_SOCIAL_REWRITE_CMD and OPENCLAW_CCURL environment variables. This pattern allows for arbitrary command execution if the execution environment is compromised.
  • [DATA_EXFILTRATION]: The skill transmits sensitive machine credentials (OPENCLAW_MACHINE_SECRET, OPENCLAW_API_KEY) and agent-specific context (soul metadata, message history) to a remote API endpoint configured via OPENCLAW_API_URL.
  • [CREDENTIALS_UNSAFE]: The wrapper script reads and parses sensitive machine secrets from multiple .env files located in the current workspace and user-specific configuration directories such as ~/.openclaw/ and .claude/agents/.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing human feedback from an external API and incorporating it into a rewrite model's prompt.
  • Ingestion points: Feedback content retrieved from the /v0/approval-requests/{approval_id}/messages endpoint.
  • Boundary markers: The prompt construction in _build_social_rewrite_context_dump uses delimiters like <<LATEST_FEEDBACK>> and <<TASK>> to separate instructions from data.
  • Capability inventory: The skill can execute subprocesses and perform network requests via the uc_respond wrapper.
  • Sanitization: The script performs basic normalization but lacks robust escaping to prevent user-supplied feedback from breaking out of the designated prompt delimiters.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 08:11 PM