tg-channel-manager
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of reading and processing untrusted web content.
- Ingestion points: In the 'Scout' phase (scout-prompt.md), the agent is instructed to use curl to fetch search results from SearXNG and then specifically told to 'open the source and read its content' to generate summaries.
- Boundary markers: The prompt instructions do not include boundary markers (e.g., XML tags or delimiters) or specific negative constraints to prevent the agent from following instructions hidden within the fetched articles.
- Capability inventory: The agent has permissions to write to local files (content-queue.md), execute local Python scripts (dedup-check.py), and interact with the Telegram API via the message tool.
- Sanitization: No sanitization or filtering is applied to the retrieved web content before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill utilizes the 'openclaw cron' command system (cron-setup.md) to establish persistence, allowing the agent to automatically execute scouting and publishing prompts at scheduled intervals.
- [COMMAND_EXECUTION]: The skill executes a local Python utility (scripts/dedup-check.py) using command-line arguments derived from external content, such as article topics and URLs. This requires the agent to properly quote and escape these inputs to prevent potential shell injection.
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to a user-provided SearXNG instance and various external news sources during the content discovery process.
Audit Metadata