openclaw-backup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly parses and stores generated passwords from script output and instructs the agent to embed those passwords verbatim in commands/requests (e.g., --password "…") and write them into a recovery file, so the LLM must handle secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill downloads backups from the public soul-upload.com API (e.g., the download endpoint f"{BASE_URL}/backup/{backup_id}" and user-provided download URLs) and then decrypts and reads/exposes the restored files (and parses server JSON), so it ingests untrusted third-party/user-provided content that the agent will read and present, allowing indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime Python script uses https://soul-upload.com (POST/GET/DELETE) to upload and download encrypted backups which contain SOUL.md / MEMORY.md / IDENTITY.md (agent prompt/instruction files) and the restore flow requires fetching that remote content to replace the agent workspace, so the URL can directly control the agent's prompts/state.