Skills
skills/composiohq/openclaw-composio/coding-agent/Snyk

coding-agent

Fail

Audited by Snyk on Mar 9, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.85). The content contains no direct obfuscated payloads or built-in backdoor code, but it explicitly instructs dangerous operational patterns—disabling sandboxes (--yolo), running agents on the host (elevated), spawning background sessions that return sessionIds with remote-control actions (write/submit/send-keys), and automating installs/commit-and-push flows—that together create a high-risk capability for deliberate data exfiltration, remote code execution, and supply-chain/backdoor insertion if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs cloning and fetching public GitHub repositories and PR refs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git fetch origin '+refs/pull//head:refs/remotes/origin/pr/'") and then running coding agents in those checkouts so the agent will read and act on untrusted, user-generated repo/PR content, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill instructs runtime cloning of an external Git repo (git clone https://github.com/user/repo.git) into the agent workdir so the fetched repository contents become the agent's input/context and can directly control prompts or lead to execution of code in that workspace.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (low risk: 0.30). The prompt does not instruct creating users or editing privileged system files, but it explicitly exposes running agents on the host (elevated:true), a “--yolo” no-sandbox mode, and arbitrary shell commands (including global installs), so it enables host-state modification and sandbox bypassing even though it doesn't directly tell the agent to run sudo or edit system configs.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 9, 2026, 09:12 PM