picoclaw
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download, build, and install software from an external GitHub repository (github.com/sipeed/picoclaw). This process involves cloning source code and executing build commands (make build, make install) that run code from the repository on the local system.
- [COMMAND_EXECUTION]: The application includes a "Heartbeat" feature that periodically reads the ~/.picoclaw/workspace/HEARTBEAT.md file and executes tasks defined within it. This enables the execution of commands and scripts at runtime based on the contents of a local file.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted external data.
- Ingestion points: Messaging gateways (Telegram, Discord, Slack, LINE, etc.), web search results (Brave, DuckDuckGo), and the HEARTBEAT.md workspace file.
- Boundary markers: The skill documentation mentions a workspace sandbox but does not specify clear delimiters or instructions for the LLM to ignore embedded commands within the ingested data.
- Capability inventory: The agent can execute subprocesses, perform file operations (write/read), and make network requests through configured tools and gateways.
- Sanitization: The tool implements a security sandbox (restrict_to_workspace: true) and claims to block specific dangerous commands (e.g., rm -rf), though the robustness of this filtering against sophisticated injection is not verified.
- [CREDENTIALS_UNSAFE]: The configuration examples and setup instructions involve handling numerous sensitive API keys (e.g., OpenRouter, Anthropic, OpenAI, Telegram Bot tokens) which are stored in a local plain-text JSON file (~/.picoclaw/config.json).
Audit Metadata