auto-updater

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's check_update.sh explicitly runs "git fetch --tags" and reads git tags, commit messages, and CHANGELOG.md from the OpenClaw repository (see scripts/check_update.sh and SKILL.md), then may checkout a remote tag and run pnpm/npm build and docker commands—meaning it ingests untrusted, user-authored repository content from upstream remotes that can materially change execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script runs git fetch --tags against the OpenClaw repository remote (the repo origin, e.g. https://github.com/openclaw/openclaw.git), then checks out the latest tag and builds/runs that code—meaning runtime-fetched repository content directly controls and results in executing remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to apply updates that change files, run builds, run docker build and docker compose up -d, and suggests adding system cron entries and writing to /var/log — all operations that modify system state and likely require elevated privileges.