openclaw-config
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to download and execute remote shell and PowerShell scripts directly from the internet using the pipe-to-shell pattern. This matches a confirmed detection by automated scanners. Evidence:
curl -fsSL https://openclaw.ai/install.sh | bashandiwr -useb https://openclaw.ai/install.ps1 | iexinSKILL.md. - [COMMAND_EXECUTION]: The skill encourages the installation of global software and system-level configuration, including background daemon setup. Evidence:
npm install -g openclaw@latestandopenclaw onboard --install-daemon. - [DATA_EXFILTRATION]: The skill reads the
~/.openclaw/openclaw.jsonfile, which is documented to store sensitive secrets. Evidence:cat ~/.openclaw/openclaw.jsonreads credentials such asOPENROUTER_API_KEY, TelegrambotToken, and Discord tokens, as documented inreferences/config-reference.md. - [EXTERNAL_DOWNLOADS]: The skill fetches documentation and index files from
docs.openclaw.aito dynamically determine agent behavior and configuration steps. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing external untrusted content to guide its operations. 1. Ingestion points: Fetches
llms.txtand specific documentation pages fromhttps://docs.openclaw.ai/. 2. Boundary markers: None present to isolate external data from instructions. 3. Capability inventory: Shell execution (bash), file reading/writing (cat, config edits), and networking (curl). 4. Sanitization: No input validation or sanitization is performed on the fetched content.
Recommendations
- HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata