ClawdStrike
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to execute the data collection script
scripts/collect_verified.sh"immediately (no consent prompt)," which is a direct attempt to bypass standard human-in-the-loop safety protocols and user confirmation requirements for shell script execution.\n- [COMMAND_EXECUTION]: The skill relies onscripts/collect_verified.shto execute a wide array of system diagnostic commands, including network utility tools (ss,lsof,netstat), firewall status checks (ufw,iptables,nft), and deep filesystem searches (find,rg).\n- [DATA_EXFILTRATION]: The skill systematically gathers sensitive host metadata, user environment details, network listener status, and configuration summaries. Although the skill includes redaction logic to mask tokens and passwords, the breadth of system state collected intoverified-bundle.jsonfor AI processing creates a significant data exposure risk if the agent's output is redirected or the environment is compromised.\n- [PROMPT_INJECTION]: The skill attempts to impose a "Verified mode" with "non-negotiable safety rules" that prioritize the skill's own execution logic over the agent's standard operating procedures and existing safety guidelines.\n- [PROMPT_INJECTION]: The skill processes third-party skill and plugin files, which presents an indirect prompt injection surface. Malicious instructions inside those files could potentially influence the agent's behavior during the audit process.\n - Ingestion points: The script
scripts/collect_verified.shscans the$STATE_DIR/skillsand$WORKSPACE_DIR/skillsdirectories and extracts patterns from all discovered files.\n - Boundary markers: The skill metadata includes a specific instruction to treat scanned content as untrusted data and to ignore embedded instructions found within them.\n
- Capability inventory: Extensive shell command execution via
collect_verified.shand filesystem read access across the OpenClaw state directory.\n - Sanitization: Implements secret redaction helpers in
scripts/redact_helpers.shand filters configuration data viascripts/config_summary.pybefore the agent processes the findings.
Audit Metadata