system-watchdog
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (LOW): The
run.shscript sends system health data (extracted fromgateway.logandgateway.err.log) to a hardcoded Discord channel ID1467890964843597988using the--deliverflag. This exposes internal system state to an external third-party destination. - [COMMAND_EXECUTION] (LOW): The skill executes local binaries and scripts, specifically
openclawandhealth_fetcher.py, located in user-controlled directories ($HOME/.npm-global/bin/and$HOME/.openclaw/scripts/). - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Raw system log data is fetched via
health_fetcher.pyand stored inHEALTH_DATA_JSON. - Boundary markers: None. The JSON data is directly interpolated into the
TASK_PROMPTwithout delimiters or 'ignore' instructions. - Capability inventory: The agent can send messages via
--deliverand has 'high' thinking enabled. - Sanitization: None. Malicious content present in system logs (e.g., injected via HTTP headers or error messages) would be processed as instructions by the LLM.
- [SAFE] (SAFE): The
SKILL.mdfile contains a security policy that explicitly forbids the inclusion of API keys and secrets in the generated reports, which is a positive security practice, though it does not mitigate the technical vulnerabilities in the execution script.
Audit Metadata