installation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes multiple hard-coded plaintext passwords and default credential values (e.g., openclaw123, root123, admin123, placeholders like your_password) and shows them embedded in docker-compose, .env, Helm values, and SQL commands, which encourages the agent to output or copy secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's installation steps explicitly download and apply manifest/config files from public third-party URLs (e.g., curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw/main/docker-compose.yml, kubectl apply -f https://raw.githubusercontent.com/openclaw/openclaw/main/deploy/kubernetes/, and wget/curl of GitHub releases), meaning untrusted external content is fetched and used as part of the workflow and could therefore influence runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill downloads and uses remote runtime configuration (e.g., curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw/main/docker-compose.yml -o docker-compose.yml followed by docker-compose up -d), so fetched content is executed/instantiates containers and therefore directly controls runtime behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit instructions to write systemd service files under /etc/systemd/system, run systemctl enable/start, create files under /opt, and execute database root commands — all actions that modify system state and require elevated privileges.