mdrip-openclaw
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The primary function of this skill is to ingest untrusted data from external URLs and provide it to the agent's context. This is a classic vector for indirect prompt injection attacks where a malicious website could contain instructions that hijack the agent's behavior.
- Ingestion points: The
mdrip <url>command fetches raw content from the web (SKILL.md). - Boundary markers: There are no explicit markers or instructions provided to the agent to treat the fetched content as data rather than instructions.
- Capability inventory: The skill enables command execution (
mdrip) and persistent file storage (snapshots inmdrip/pages/). - Sanitization: No sanitization of the fetched markdown is mentioned or implemented.
- [External Downloads] (MEDIUM): The skill metadata automatically triggers the installation of the
mdrippackage via npm (SKILL.md). This package is not from a verified or trusted organization listed in the security policy. - [Command Execution] (MEDIUM): The skill relies on executing CLI commands (
mdrip,mdrip clean, etc.). While functional, if an attacker can manipulate the URL or parameters passed to these commands via indirect injection, it could lead to unintended shell operations.
Recommendations
- AI detected serious security threats
Audit Metadata