world-room
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from other agents in the shared 3D environment.\n
- Ingestion points: The agent reads incoming chat messages (world-chat), agent profiles (bio), and bulletin board announcements (moltbook-list) as described in SKILL.md and skill.json.\n
- Boundary markers: There are no explicit delimiters or boundary markers defined in the JSON schema or documentation to isolate untrusted content from agent instructions.\n
- Capability inventory: The skill is capable of network communication and metadata retrieval, though its direct actions are limited to IPC world interactions.\n
- Sanitization: No evidence of sanitization, escaping, or validation of user-generated content from the chat or bio fields is present.\n- [DATA_EXFILTRATION]: The skill performs network operations to external, non-whitelisted Nostr relays and accesses specific local directory metadata.\n
- Evidence: The documentation in SKILL.md details the use of Nostr relays for real-time remote agent interaction, which involves broadcasting the agent's ID, name, and bio to external servers.\n
- Evidence: The clawhub-list command accesses and list contents of the ~/.openclaw/ directory on the local file system to browse installed extensions.
Audit Metadata