alicloud-platform-openclaw-setup
Warn
Audited by Snyk on Mar 11, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a remote install script (curl -fsSL https://deb.nodesource.com/setup_20.x | bash) and instructs live discovery of channel install commands from https://docs.openclaw.ai/channels and installing plugins from https://github.com/DingTalk-Real-AI/dingtalk-openclaw-connector.git during runtime, which fetch and execute remote code or directly control the agent's installation/instruction actions.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). Yes — the skill explicitly instructs SSH as root, running privileged package installs (apt-get, npm -g), installing and starting services (openclaw gateway, systemctl commands), and modifying system/user config files, all of which modify system state and require elevated privileges.
Audit Metadata