openclaw

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit CLI examples that pass API/OAuth tokens as command-line arguments (e.g., --token, --token $TOKEN, channels add --channel <ch> --token <t>) which requires the agent to embed secret values verbatim in commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's documentation (SKILL.md and references/channels.md) explicitly instructs connecting to public messaging platforms (WhatsApp, Telegram, Discord, Slack, etc.) and describes the agent reading/responding to incoming messages and group DMs (including configurable "open" DM policy), meaning it ingests untrusted, user-generated third-party content that can drive actions and tools.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs running global installs and an onboarding flag that installs a system daemon (launchd/systemd), which modifies system services/files and can require sudo, so it does push the agent to change the machine state.