openclaw-qa-testing
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes external markdown data. (1) Ingestion points: The agent reads and processes scenario files from the 'qa/scenarios/' directory. (2) Boundary markers: No delimiters or instructions are provided to the agent to distinguish scenario data from instructions. (3) Capability inventory: The agent can execute shell commands via pnpm and has read/write access to the repository structure. (4) Sanitization: There is no validation or sanitization of scenario content before it is used by the agent.
- [DATA_EXFILTRATION]: The skill instructs the agent to check the user's shell profile (~/.profile) when troubleshooting environment issues. This file often contains sensitive secrets such as API keys, environment variables, and authentication tokens.
- [COMMAND_EXECUTION]: The skill provides templates for executing arbitrary shell commands via pnpm to run suites, character evaluations, and manual tests on the host machine.
Audit Metadata