Skills
skills/serenorg/seren-skills/gclaw-agent/Gen Agent Trust Hub

gclaw-agent

Fail

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill documentation (SKILL.md, README.md) and installation scripts recommend a highly dangerous execution pattern: curl -fsSL https://raw.githubusercontent.com/GemachDAO/Gclaw/main/install.sh | bash. This allows an untrusted remote script to execute directly in the user's shell environment with no prior review.
  • [REMOTE_CODE_EXECUTION]: The scripts/install.sh file downloads a binary executable (gclaw) from a GitHub release and installs it to a system path (/usr/local/bin). The integrity of this binary is entirely dependent on the GemachDAO repository's security.
  • [COMMAND_EXECUTION]: The agent is configured with a shell tool that permits the execution of command-line operations (e.g., curl, cat, ls). When combined with the agent's autonomous trading and web-browsing capabilities, this presents a significant risk for unauthorized system access or data exfiltration.
  • [COMMAND_EXECUTION]: The skill features a 'Self-Recoding' capability, allowing the AI agent to modify its own system prompts and configuration at runtime. This can lead to unpredictable behavior or persistent subversion of the agent's instructions.
  • [CREDENTIALS_UNSAFE]: The skill requires the management of high-value secrets, specifically the CONTROL_WALLET_PRIVATE_KEY for blockchain transactions and multiple LLM provider API keys. While the skill suggests using environment variables, an autonomous agent with shell and web access handling these keys creates a high risk of credential exposure.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from multiple external channels (Telegram, Discord, Web Search) and incorporates this data into its decision-making and 'Self-Recoding' logic without explicit sanitization or boundary markers.
  • Ingestion points: Telegram, Discord, and Web Search tool outputs (specified in SKILL.md).
  • Boundary markers: Absent in the system prompt templates provided in config.example.json.
  • Capability inventory: Subprocess calls via agent.py, shell tool execution, and DeFi trading via GDEX SDK.
  • Sanitization: No evidence of input filtering or escaping for external content processed by the agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/GemachDAO/Gclaw/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 21, 2026, 02:44 AM