desktop-sandbox

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). This is a GitHub repository from an unfamiliar/unnverified account that (per the skill) distributes platform installers (.exe/.pkg) via releases—direct executables from an unknown source are a high-risk indicator for malware distribution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's installer script (scripts/run_installer.js) directly calls fetchGitHubRelease to query the public GitHub API and then downloads the release asset via asset.browser_download_url (downloadFile) and executes it (runInstaller), which pulls and runs untrusted/public third-party content that can materially change behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The installer script at runtime calls the GitHub Releases API (e.g. https://api.github.com/repos/AtlasCore-tech/desktop-sandbox-openclaw/releases/latest or /releases/tags/...) and then downloads and executes the release asset via asset.browser_download_url (the remote .exe/.pkg), so it fetches and runs remote code that the skill requires.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs installing system-level software into privileged locations (e.g., C:\Program Files\ and /), which would modify system files and likely require elevated privileges, so it pushes the agent to change the machine state.