agent-retro
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest and analyze untrusted historical data (session logs) and use the extracted conclusions to modify high-privilege configuration files.
- Ingestion points: Historical chat logs and tool results stored in
~/.openclaw/agents/${agentId}/sessions/(SKILL.md). - Boundary markers: Absent. The instructions do not define delimiters or specify that the agent should ignore instructions or commands found within the processed logs.
- Capability inventory: The agent has the authority to read sensitive session history and perform write/edit operations on core personality files (
SOUL.md), behavioral constraints (AGENTS.md), and long-term memory (MEMORY.md). - Sanitization: Absent. There is no validation or filtering process to ensure that 'lessons' extracted from the logs do not contain malicious instructions meant to subvert the agent's safety or identity.
- [COMMAND_EXECUTION]: Reduced Oversight for Core Modifications. The skill explicitly instructs the agent to 'complete physical disk operations' and update core files before reporting the results to the user. This 'autonomy-first' approach prevents the user from reviewing or intercepting potentially dangerous changes to the agent's core instructions and constraints before they are finalized.
Audit Metadata