openclaw

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill’s docs (see references/automation/webhook and references/automation/gmail-pubsub) show the Gateway accepts external HTTP/webhook and Gmail Pub/Sub payloads (e.g., POST /hooks/agent and mapped /hooks/gmail) and runs isolated agent turns or executes BOOT.md content, meaning untrusted, user-generated third‑party content is ingested and directly interpreted by the agent as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill documentation includes privileged installation steps (npm -g, "onboard --install-daemon", daemon/service and proxy/deploy instructions) that imply creating/modifying system services and system-level files and so could push an agent or user to change the machine state; it does not explicitly request sudo or user-creation but clearly covers actions that affect system services/configuration.