aliyun-openclaw-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow (Step 3 and references/channel-discovery.md) explicitly instructs the agent to open and extract install/configuration commands from the public site https://docs.openclaw.ai/channels/index and apply them to the host, meaning external web content directly influences actions and tooling.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a remote install script (curl -fsSL https://deb.nodesource.com/setup_20.x | bash) and directs installing plugins from a GitHub repo (https://github.com/DingTalk-Real-AI/dingtalk-openclaw-connector.git) and to pull exact install commands from the live docs (https://docs.openclaw.ai/channels), all of which are fetched at runtime and can execute remote code or directly determine the commands the agent will run.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs SSH as root and running privileged commands (apt-get, global npm installs, openclaw gateway install/start, systemctl) that modify system packages and services, i.e., change the host state and require elevated privileges.