openclaw
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The CLI utility references a bootstrap installation method that pipes a remote script from GitHub directly into the bash shell. This is a high-risk pattern that allows for arbitrary code execution.
- Evidence:
curl -fsSL https://raw.githubusercontent.com/TechNickAI/openclaw-config/main/scripts/bootstrap.sh | bashin theopenclawscript. - [COMMAND_EXECUTION]: The skill configures a persistent cron job that executes the
claudeCLI with the--dangerously-skip-permissionsflag. This flag explicitly bypasses the agent's safety and permission prompts, allowing it to perform potentially harmful actions without user intervention. - Evidence: Step 9 in
SKILL.mddescribes the cron job configuration with the dangerous flag. - [COMMAND_EXECUTION]: The
openclawscript dynamically executes other shell scripts (sync.sh,version-check.sh) that are downloaded from a remote repository into the local cache. These scripts are executed with the user's local shell permissions. - Evidence:
bash "$SCRIPTS_DIR/version-check.sh"andbash "$SCRIPTS_DIR/sync.sh"in theopenclawscript. - [CREDENTIALS_UNSAFE]: The skill prompts the user to provide and store sensitive API keys for several third-party services, including OpenAI, Limitless, Fireflies.ai, Quo, and Parallel.ai.
- Evidence: Configuration steps 6 and 8 in
SKILL.mdexplicitly request API keys from users. - [DATA_EXFILTRATION]: The skill creates a broad attack surface for data theft by collecting numerous high-value API keys and establishing an automated, hourly execution environment with bypassed security controls. This environment has access to the user's file system and memory directories.
Recommendations
- AI detected serious security threats
Audit Metadata