openclaw-maintainer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests public, user-generated GitHub content (PR bodies, comments, issue/PR lists and search results) via gh api/gh pr/gh search in commands/reviewpr.md, commands/preparepr.md, and commands/mergepr.md and then uses that content to drive decisions and actions (review verdicts, prep fixes, merges, and aggressive post-merge closing), which creates a clear path for indirect prompt injection from third-party text.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill fetches and checks out PR code at runtime from the PR head repo (e.g. https://github.com/$head_repo.git and via git fetch origin pull//head:pr-), and then runs installs/builds/tests (pnpm) against that code, so remote repository content is executed as part of the workflow and is a required runtime dependency.