openclaw-setup
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation guide suggests executing remote scripts via
curl -fsSL https://openclaw.ai/install.sh | bashandiwr -useb https://openclaw.ai/install.ps1 | iex. While these target the project's official domain, the pattern bypasses package manager safety checks. - [COMMAND_EXECUTION]: The skill relies on extensive use of shell commands to manage system services through
launchctl(macOS) andsystemctl(Linux), and includes potentially destructive commands likerm -rf ~/.openclawandkillall openclawfor uninstallation purposes. - [EXTERNAL_DOWNLOADS]: Fetches configuration templates, software packages, and updates from
openclaw.aiandgithub.com/openclaw/openclaw. - [CREDENTIALS_UNSAFE]: Instructions explicitly guide the agent to access and display paths known to contain sensitive information, specifically
~/.openclaw/openclaw.jsonand the~/.openclaw/credentials/directory, which may contain API keys for LLM providers. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data processing surface.
- Ingestion points: User-provided messages are directly interpolated into CLI commands such as
openclaw agent --message "<message>". It also reads local configuration and state files from~/.openclaw/. - Boundary markers: The instructions lack explicit delimiters or warnings to ignore embedded commands within user-provided data.
- Capability inventory: Capabilities include file system modification, service installation for persistence, and network communication via the gateway.
- Sanitization: There is no evidence of input validation or escaping for user-supplied strings before they are passed to the shell environment.
Audit Metadata