openclaw-relay
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes shell commands locally and on remote hosts using subprocess.run and ssh to interact with node, pnpm, and the acpx extension. Found in scripts/openclaw_relay.py in functions run_local, run_ssh, run_acpx, and run_openclaw.
- [DATA_EXFILTRATION]: Accesses and verifies the existence of a sensitive credential file located at ~/.openclaw/gateway.token. Referenced in scripts/openclaw_relay.py and SKILL.md.
- [REMOTE_CODE_EXECUTION]: Facilitates code and script execution on a remote machine via SSH (configured by the host parameter). Implementation of run_ssh and its usage in run_acpx and run_openclaw within scripts/openclaw_relay.py.
- [PROMPT_INJECTION]: The publish command interpolates user-controlled variables (text and context) into a multi-line prompt intended for another agent session without using boundary markers or sanitization, which could lead to indirect prompt injection. Found in the build_publish_prompt function in scripts/openclaw_relay.py. Ingestion points: args.text and args.context. Boundary markers: Absent. Capability inventory: Remote and local command execution via subprocess and ssh in scripts/openclaw_relay.py. Sanitization: Absent for interpolated message content.
Audit Metadata