openclaw
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Documentation in 'references/installation.md' and 'references/deployment.md' provides instructions to execute remote scripts directly via the shell (e.g.,
curl -fsSL https://openclaw.ai/install.sh | bash). - [COMMAND_EXECUTION]: The documented 'exec' tool enables an AI agent to run arbitrary shell commands on the gateway host. Documentation also includes instructions for using 'sudo' and establishing persistence via macOS LaunchAgents and shell profiles.
- [EXTERNAL_DOWNLOADS]: The skill describes downloading various plugins and binaries from npm and GitHub during the setup of messaging channels like Signal and LINE.
- [PROMPT_INJECTION]: The skill documentation details an architecture where the agent processes untrusted data from multiple external chat platforms including WhatsApp, Telegram, and Discord (ingestion points). Boundary markers like the 'external content safety wrapper' are present but can be disabled via 'allowUnsafeExternalContent'. The capability inventory includes arbitrary shell execution (exec), file-write, and network operations. Sanitization is described as wrapping external content with safety boundaries by default.
Audit Metadata