openclaw-control
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill acts as a proxy, forwarding user input to another AI agent.
- Ingestion points: Untrusted data enters via the 'message' field in the 'POST /openclaw/send' request.
- Boundary markers: Absent. There are no delimiters or instructions to help the target agent distinguish between the user's data and potential malicious commands.
- Capability inventory: The skill allows sending messages, managing configurations, and controlling service states (start/stop/restart).
- Sanitization: None detected. User input is interpolated directly into the API payload.
- [Command Execution] (MEDIUM): The ability to start, stop, and restart the gateway via API calls ('/openclaw/gateway/*') constitutes service-level control which could be exploited to cause denial of service or unauthorized state changes.
- [Remote Code Execution] (MEDIUM): The metadata description explicitly mentions "installing skills." If this functionality allows fetching and loading code from arbitrary paths or URLs without verification, it represents a significant RCE vector.
- [Data Exposure] (LOW): Access to '/openclaw/config' and '/openclaw/session' exposes system configuration and session details, though the operations are directed at localhost.
Recommendations
- AI detected serious security threats
Audit Metadata