ngrok-unofficial-webhook-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill starts a public ngrok tunnel and accepts arbitrary incoming webhooks at the WEBHOOK_PATH (see scripts/webhook-server.js and the printed NGROK_URL), then directly formats and forwards webhook bodies into messages for the OpenClaw/LLM to interpret, so it ingests untrusted third‑party content from the open web as part of the agent's workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill does not request sudo, create users, or modify system-level configs, but it runs a long‑running background service and can execute arbitrary shell commands from webhook-driven skill configs—so it poses some risk of changing machine state though it doesn't explicitly ask for privileged/system file modifications.