openclaw-config

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent/operator to browse and install skills from public ClawdHub/GitHub (see "Skills: ClawdHub Ecosystem" and "Creating Your Own Skill"), and states that installed skills (markdown + optional scripts/references) are "loaded into context" and can extend agent behavior, meaning untrusted, user-generated third‑party content is fetched and can materially change tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). Commands that fetch remote skills (e.g., "npx add-skill " / "clawdhub install " which pull a GitHub or registry URL) load SKILL.md content at runtime into the agent context, allowing externally-hosted markdown/scripts to directly control prompts or execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes numerous actionable commands that edit/delete config and credential files, restart services, install extensions (including into system-level paths), spawn/kill background agents and modify runtime behavior—allowing an agent to change or damage the host state even though it doesn't explicitly request sudo or create users.