clawdbot-self-security-audit

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt explicitly claims the skill is "read-only" and "never modifies settings," yet it documents a --fix flag that applies guardrail changes and includes remediation/incident-response commands that modify state, a contradiction that amounts to deceptive instructions outside the stated scope.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs reading config files and environment variables (e.g., cat ~/.clawdbot/*, env | grep CLAWDBOT_GATEWAY_TOKEN) and produces reports/command outputs, which would cause the agent to handle and likely output secret values verbatim if not carefully redacted.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). Although the skill claims "read-only", it explicitly includes a --fix flag and concrete remediation commands (chmod, stop daemon, generate tokens, edit configs, rotate keys) that would modify configuration, file permissions and running services, so it encourages state-changing actions on the host.