openclaw-cli

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The documentation exposes multiple high-risk capabilities—remote command execution on nodes, camera/screen capture, browser control, daemon/service installation, token handling, hooks/plugins installation and logging hooks—that could be abused for data exfiltration, credential theft, persistence, remote access, and supply-chain attacks, although the file itself is descriptive documentation rather than executable malicious code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Browser Control" commands (e.g., openclaw browser open / navigate) permit loading arbitrary external URLs and the channel commands (channels add/login and channels logs for Telegram/Discord/WhatsApp) allow ingesting messages from public platforms, so the agent can read untrusted, user-generated third-party content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes commands that install daemons and system services (e.g., "openclaw onboard --install-daemon", "openclaw gateway install", and service uninstall) which modify system service files and likely require elevated privileges, so it pushes the agent toward changing the machine state.