openclaw-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs agents to ingest and act on untrusted, user-generated public content — e.g., references/best-practices.md shows a code-review agent being given a GitHub PR URL ("审查这个 PR: https://github.com/...") and the SKILL.md/references mention GitHub, docs.openclaw.ai, Discord and channel/webhook integrations (Telegram/WhatsApp/Discord/webhooks) as runtime data sources that the agent will read and act on.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly guides installation and management of system services (e.g., "install-daemon", "gateway install", instructions about launchd/systemd and removing system services) which typically modify system-level files and require elevated privileges, so it encourages state-changing operations on the host.