openclaw-config
Fail
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides instructions to access and display multiple forms of sensitive credentials, including Telegram bot tokens in
~/.openclaw/credentials/telegram/*/token.txt, Anthropic auth tokens in~/.openclaw/agents/main/agent/auth-profiles.json, and Twitter/X authentication cookies in~/.openclaw/credentials/bird/cookies.json. - [DATA_EXFILTRATION]: The runbook facilitates the reading of private communication data, including WhatsApp session keys in
~/.openclaw/credentials/whatsapp/default/and session transcripts stored as JSONL files in~/.openclaw/agents/main/sessions/. - [COMMAND_EXECUTION]: The skill relies extensively on shell command execution (bash) to perform diagnostic and configuration tasks, including complex pipelines involving
jq,grep, andsqlite3that process system files and logs. - [EXTERNAL_DOWNLOADS]: The skill promotes the installation of additional functionality from external, third-party sources using commands like
clawdhub install <slug>andnpx add-skill <repo>, which can lead to the introduction of malicious code into the environment. - [REMOTE_CODE_EXECUTION]: It describes multi-agent orchestration patterns that involve executing remote or background processes (e.g.,
codex exec,claude) with parameters that can be influenced by untrusted inputs. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from messaging logs (WhatsApp, Telegram, Signal) using shell-based processing tools. A malicious message stored in these logs could attempt to influence the agent's behavior when the diagnostic commands are executed.
Recommendations
- AI detected serious security threats
Audit Metadata