openclaw-config
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides instructions to access and verify sensitive file paths that contain authentication material, specifically:
~/.openclaw/credentials/telegram/*/token.txt(Telegram bot tokens)~/.openclaw/credentials/bird/cookies.json(Twitter/X session cookies)~/.openclaw/agents/main/agent/auth-profiles.json(Anthropic authentication tokens)~/.openclaw/openclaw.json(Main configuration file containing API keys and provider tokens)- [COMMAND_EXECUTION]: The skill's primary functionality is delivered through complex bash command blocks. It performs system process monitoring (
ps), file system operations (cp,mv,rm), and interacts with local databases (sqlite3). It also includes instructions for spawning background processes and orchestrating sub-agents with arbitrary command strings. - [EXTERNAL_DOWNLOADS]: The skill utilizes the
clawdhubutility andnpxto download and install external 'skills' and extensions from remote repositories at runtime. - [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by ingesting untrusted data from various sources:
- Ingestion points: Processes chat transcripts (
.jsonlfiles), daily workspace memory files (.md), and gateway logs (.log) which contain user-generated content. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when reading these files.
- Capability inventory: The agent has extensive system capabilities including shell execution, file writing, and managing external communication tools (
signal-cli). - Sanitization: There is no evidence of sanitization or filtering of the content read from session transcripts or logs before it is processed by the agent.
Audit Metadata