foundry
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill enables self-modification by generating and executing code dynamically.
- Evidence: The
foundry_extend_selftool acceptstoolCodeto create new agent capabilities. - Evidence: The 'crystallization' process converts learned patterns from untrusted external sources into permanent code.
- EXTERNAL_DOWNLOADS (HIGH): The skill installs software from untrusted sources.
- Evidence: Downloads
@getfoundry/foundry-openclawfrom npm. - Evidence: Source code pulled from
github:lekt9/openclaw-foundry. Neither source is on the Trusted External Sources list. - COMMAND_EXECUTION (MEDIUM): Executes shell commands and modifies local configuration files.
- Evidence: Calls
openclaw plugins installvia shell. - Evidence: Modifies
~/.openclaw/openclaw.jsonto enable plugins and modify system behavior. - DATA_EXFILTRATION (LOW): Capability to send potentially sensitive generated patterns to an external API.
- Evidence:
foundry_publish_abilitytool targetsapi.claw.getfoundry.app. - INDIRECT_PROMPT_INJECTION (LOW): High exposure to untrusted data used for code generation.
- Ingestion points: GitHub repositories, arXiv papers, and web documentation via
foundry_research. - Boundary markers: Absent; the system is designed to automatically adopt patterns from these sources.
- Capability inventory: File writing, extension creation, and self-modification of the agent code base.
- Sanitization: The skill claims to block
evalandchild_process, but these blacklists are insufficient for preventing AI-driven code generation of malicious logic.
Recommendations
- AI detected serious security threats
Audit Metadata