lingzhu
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted device metadata (such as location, running application names, and weather) and user messages from the Lingzhu platform and interpolates them directly into the system prompt context in
extension/src/transform.tswithout sanitization. - Ingestion points:
extension/src/http-handler.ts(POST /metis/agent/api/sse endpoint). - Boundary markers: Uses simple labels like
[rokid glasses信息]but lacks explicit instructions for the model to ignore embedded commands within the metadata. - Capability inventory: File system write access (image downloading) and local network access (calling the OpenClaw gateway API).
- Sanitization: No validation or escaping is performed on context fields like
runningApporlocationbefore they are added to the prompt. - [EXTERNAL_DOWNLOADS]: The
preprocessOpenAIMessagesfunction inextension/src/http-handler.tsautomatically downloads images from arbitrary URLs provided in incoming messages to a local cache directory (.cache/img). While this is a core feature for processing smart glasses photos, it allows the agent to perform outbound network requests and write files to the local disk based on external input. - [COMMAND_EXECUTION]: The skill defines tools in
extension/src/lingzhu-tools.tsthat translate agent intents into device-level commands (e.g.,take_photo,navigate). These commands are returned to the Lingzhu platform via SSE to trigger hardware actions on the connected glasses.
Audit Metadata