The Agent Skills Directory

Remote Code Execution (CRITICAL): Multiple documentation files, including docs/start/getting-started.md and docs/install/index.md, recommend installing the software using piped remote script execution (e.g., curl -fsSL https://openclaw.ai/install.sh | bash and iwr -useb https://openclaw.ai/install.ps1 | iex). The domain openclaw.ai is not included in the trusted external sources list, and this pattern is a high-risk attack vector.
Command Execution (HIGH): The skill documents the exec tool and an /elevated command suite (docs/tools/exec.md, docs/tools/elevated.md). Notably, the /elevated full directive is documented to allow an AI agent to execute commands on the host gateway or node while explicitly bypassing user-configured approval prompts and allowlists.
External Downloads (MEDIUM): The documentation frequently directs users to download binaries and plugins from various external repositories and registries (e.g., GitHub, npm) without enforcing checksum or signature verification in the primary setup paths.
Indirect Prompt Injection (LOW): As a gateway for third-party messaging apps like WhatsApp and Telegram, the system has a large attack surface for indirect prompt injection.
Ingestion points: SKILL.md and docs/channels/index.md list numerous external messaging platforms as input sources.
Boundary markers: docs/automation/gmail-pubsub.md mentions 'external-content safety boundaries', but these are not applied universally to all channels.
Capability inventory: The exec, write, browser, and camera tools provide significant capability for an attacker to exploit via successful injection.
Sanitization: docs/concepts/agent-loop.md mentions sanitization of tool results, but static analysis cannot confirm runtime effectiveness against malicious message payloads.

openclaw-wiki