openclaw-ref

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill ingests untrusted third-party content at runtime — for example inbound messages from public channels (Telegram/Discord/Slack/WhatsApp/Feishu in references/channels-extensions.md) and BOOT.md found in agent workspaces (references/boot-provisioning.md) are explicitly read/interpreted as prompts and can drive tool use (message/exec/tool calls), allowing indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The AgentBox provisioning snippet shows a runtime curl fetch of configuration from "$BACKEND_URL/instances/config?serverId=$SERVER_ID&secret=$SECRET", which is written into ~/.openclaw/openclaw.json at boot—an external URL fetched at runtime that can directly control agent configuration/boot behavior (and thus prompts or execution), so it meets the criteria for a risky external dependency.