Skills
skills/openclaw/skills/compound-engineering/Gen Agent Trust Hub

compound-engineering

Fail

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis

================================================================================

🔴 VERDICT: HIGH

This skill introduces several high-risk elements due to its design and reliance on external, unverified components. The primary concerns are the use of an unverified npx package, the establishment of persistence mechanisms (cron jobs, launchd), the inherent risk of indirect prompt injection through self-modifying instructions, and the explicit instruction to commit and push changes to a Git repository, which constitutes data exfiltration.

Total Findings: 4

🔴 HIGH Findings: • Persistence Mechanism (crontab)

  • Line 98: 0 * * * * /opt/homebrew/bin/clawdbot cron run compound-hourly 2>&1 >> ~/clawd/logs/compound.log
  • The skill explicitly instructs the user to add a cron job, which is a classic persistence mechanism, allowing for scheduled execution of commands. • Persistence Mechanism (launchd)
  • Line 86: <!-- ~/Library/LaunchAgents/com.clawdbot.compound-review.plist -->
  • The skill provides a launchd plist file for macOS, which is another common persistence mechanism for scheduling tasks. • Indirect Prompt Injection / Self-Modifying Instructions
  • Line 20: The idea: Your agent reviews its own work, extracts patterns and lessons, and updates its instructions. Tomorrow's agent is smarter than today's.
  • The core functionality of this skill is to enable the AI agent to review its own past interactions and modify its MEMORY.md and AGENTS.md files based on extracted 'learnings'. This creates a significant risk of indirect prompt injection. If the agent processes malicious or subtly manipulative content in its past 'sessions, chats, tasks, decisions', it could 'learn' and incorporate these malicious instructions into its own memory and future behavior, effectively self-injecting harmful directives. • Data Exfiltration (Git Push)
  • Line 55: Commit and push changes
  • The skill explicitly instructs the agent to 'Commit and push changes' after updating memory files. While intended for version control, this action involves sending local data (MEMORY.md, AGENTS.md) to an external Git repository. If the configured Git remote is compromised or malicious, this constitutes data exfiltration.

🟡 MEDIUM Findings: • Unverifiable Dependency (npx)

  • Line 26: npx compound-engineering review
  • The skill relies on npx compound-engineering, which downloads and executes an external package from npm. The contents of this package are not provided for analysis, making it an unverifiable dependency. This introduces a supply chain risk, as the compound-engineering package could contain malicious code.

🔵 LOW Findings: • None

ℹ️ TRUSTED SOURCE References: • GitHub Repository Reference

  • Line 109: GitHub: github.com/lxgicstudios/ai-compound
  • The skill references a GitHub repository. This is an informational reference and not a direct download or execution from a trusted source, but it's noted as an external link. • GitHub Commit Reference
  • Line 6 in _meta.json: "commit": "https://github.com/clawdbot/skills/commit/15e58928e8d6d88edee6df70bcbf9402faee51f0"
  • The metadata references a specific GitHub commit. This is an informational reference and not a direct download or execution from a trusted source, but it's noted as an external link.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 13, 2026, 04:38 AM