openclaw-genie
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation promotes a high-risk installation method using
curl -fsSL https://openclaw.ai/install.sh | bash, which executes unverified code from a remote server directly in the system shell. - [COMMAND_EXECUTION]: The skill provides instructions for using the
exectool, which can run arbitrary shell commands on the host system or in a sandbox. Without strict sandboxing, this provides a direct path for system compromise. - [DATA_EXFILTRATION]: The skill documentation references sensitive files such as
~/.openclaw/openclaw.json,~/.openclaw/.env, andcreds.jsonwhich store API keys and platform credentials. These files are accessible through tools likememory_getandexecdescribed in the documentation. - [PROMPT_INJECTION]: The skill defines a large attack surface for indirect prompt injection as the agent is designed to ingest and process data from 22+ messaging platforms, PDF documents, and external URLs.
- Ingestion points: Messaging channel inputs, PDF analysis, and
web_fetchtool outputs. - Boundary markers: No specific delimiters or safety warnings for data interpolation are described in the instructions.
- Capability inventory: High-privilege tools including
exec,browserautomation, andnodeshardware control. - Sanitization: The documentation mentions sandboxing and tool profiles, but these are configuration-dependent and not enforced by the skill itself.
Recommendations
- HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata