soulflow
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill reads the sensitive system file
~/.openclaw/openclaw.jsonto retrieve the gateway authentication token (lib/gateway.js).\n- [CREDENTIALS_UNSAFE]: The framework clones theauthProfilesproperty from existing agents to thesoulflow-workeragent, exposing third-party service credentials (such as GitHub or cloud provider tokens) to automated processes (lib/runner.js).\n- [COMMAND_EXECUTION]: The skill programmatically grants thefulltool profile to the worker agent, enabling unrestricted execution of shell commands and file system modifications via theexecandedittools (lib/runner.js).\n- [COMMAND_EXECUTION]: Thelib/nl-handler.jsscript spawns Node.js subprocesses using user-provided task descriptions as command-line arguments. While using array-based arguments, the lack of input validation on the task string poses a risk if passed to downstream shell-based tools.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by design. Workflow steps interpolate the raw output of previous steps (e.g., results fromweb_fetchorreadtools) into the prompt for the next step using the{{stepid_output}}variable. The absence of boundary markers or sanitization allows malicious data found in external files or websites to be interpreted as agent instructions, potentially leading to unauthorized operations using the worker's elevated permissions.
Audit Metadata