openclaw
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation and installation guide in README.md and SKILL.md suggest running 'curl -fsSL https://openclaw.ai/install.sh | bash'. This pattern is highly dangerous as it executes an external script with the user's shell privileges without prior verification, which could lead to a full system compromise.
- [COMMAND_EXECUTION]: The agent is equipped with the exec tool, allowing it to run arbitrary shell commands on the host system or remote nodes. The reference files exec.md and gateway_ops.md also detail the installation of system-level services like systemd and launchd, which typically requires administrative privileges and can be used to achieve persistence.
- [PROMPT_INJECTION]: The skill creates a broad surface for indirect prompt injection by integrating with messaging platforms like WhatsApp, Telegram, and Discord. 1. Ingestion points: Data enters the system context via incoming messages as defined in channels.md and sessions.md. 2. Boundary markers: No clear delimiters or safety warnings are documented for separating user input from agent instructions. 3. Capability inventory: The agent has powerful capabilities including shell execution (exec.md), file manipulation (tools.md), and network fetching (web_tools.md). 4. Sanitization: There is no documented evidence of input sanitization or validation for these external data sources.
Recommendations
- HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata