openclaw
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to perform a global installation of the
openclawpackage from the NPM registry (npm install -g openclaw@latest). - [COMMAND_EXECUTION]: The skill executes multiple CLI commands to manage the gateway and its environment.
openclaw onboard --install-daemon: Configures a system background service, establishing persistence and potentially requiring elevated privileges.openclaw cron add: Sets up recurring automated tasks that persist on the host system.- [DATA_EXFILTRATION]: The gateway is designed to communicate with external messaging platforms and webhooks.
- Configures integrations with WhatsApp, Telegram, and Discord for data transmission.
- Exposes webhook endpoints to receive triggers from external sources like CI/CD pipelines.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing untrusted data from external communication channels.
- Ingestion points: Incoming messages from WhatsApp, Telegram, Discord, and webhook payloads.
- Boundary markers: The skill lacks explicit instructions or delimiters to isolate untrusted message content from the agent's instructions.
- Capability inventory: Access to the host's CLI for command execution and file system access within the
~/.openclaw/directory. - Sanitization: There are no mechanisms defined to sanitize or validate external content before it is processed by the AI agents.
Audit Metadata