Skills
skills/sundial-org/awesome-openclaw-skills/clawdlink/Gen Agent Trust Hub

clawdlink

Fail

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The cli.js file is vulnerable to multiple command injection points. User-supplied arguments for name, friend, message, and pollArgs are interpolated directly into shell commands via execSync without sanitization or escaping.
  • Evidence: Line 25 (setup), Line 48 (add), Line 58 (send), and Line 63 (poll) in cli.js use template literals to build shell commands.
  • [COMMAND_EXECUTION]: The setNestedValue utility in lib/preferences.js is vulnerable to prototype pollution. This allows an attacker to manipulate the global object prototype through the preferences set action.
  • Evidence: The implementation in lib/preferences.js does not check for restricted keys like __proto__ or constructor when splitting the path and traversing the object.
  • [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by ingesting and delivering untrusted data from a remote relay. It lacks boundary markers or instructions to treat message content as data rather than instructions.
  • Ingestion points: lib/relay.js fetches messages; lib/requests.js fetches friend requests.
  • Capability inventory: The skill has file system access (read/write keys) and network access to an external relay.
  • Sanitization: No sanitization or escaping is performed on message.content.text before it is formatted into markdown for the agent's context in lib/style.js and heartbeat.js.
  • Boundary markers: Absent. Delivered messages are wrapped in bold headers but do not include instructions to ignore embedded commands.
  • [DATA_EXFILTRATION]: The skill established a permanent network connection to a non-whitelisted relay service at https://clawdlink-relay.vercel.app to route E2E encrypted messages. While consistent with the skill's purpose, this represents a channel for data transfer to an external domain.
  • [COMMAND_EXECUTION]: The scripts/install.js file implements a persistence mechanism by modifying the agent's HEARTBEAT.md file to automatically execute the heartbeat.js script periodically.
  • Evidence: appendFileSync(HEARTBEAT_FILE, CLAWDLINK_SECTION) in scripts/install.js adds a recurring shell command to the platform's automation configuration.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 24, 2026, 12:25 AM