openclaw

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs host raw .sh and .ps1 installer scripts on an unverified domain and the skill explicitly instructs piping them directly into bash/PowerShell (curl | bash / iwr | iex), an established high‑risk pattern for malware distribution without code review or provenance.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly references and instructs use of the public ClawdHub skill registry (see "ClawdHub is the public skill registry" and the "ClawdHub Commands" / "clawdhub search/install" entries), which causes the agent to fetch and install third-party, user-contributed skills whose content can change agent behavior and thus could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation instructions explicitly fetch and execute remote scripts at runtime (curl -fsSL https://openclaw.ai/install.sh | bash and PowerShell iwr -useb https://openclaw.ai/install.ps1 | iex), which runs code from openclaw.ai and thus is a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt includes installation commands (curl|bash, iwr | iex, npm -g) and an "openclaw onboard --install-daemon" step that encourage system-wide installs and creating daemons/service files—actions that modify system state and typically require sudo or can alter systemctl/service configuration.