Skills
skills/win4r/openclaw-skill/openclaw/Gen Agent Trust Hub

openclaw

Fail

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructions in README.md, SKILL.md, and references/install.md explicitly direct users to execute a remote script using the high-risk pattern curl -fsSL https://openclaw.ai/install.sh | bash. This executes unverified remote code directly in the system shell.
  • [COMMAND_EXECUTION]: The skill provides the exec and process tools, allowing the agent to perform arbitrary shell command execution, including backgrounded and interactive sessions, on the host system or connected nodes.
  • [COMMAND_EXECUTION]: Documentation in references/elevated.md describes the /elevated full directive, which is designed to execute commands on the host while bypassing all security approval guardrails and sandboxing mechanisms.
  • [EXTERNAL_DOWNLOADS]: The skill involves downloading and installing global npm packages (npm install -g openclaw) and external plugins, which can introduce unverified code into the environment.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It is designed to ingest untrusted data from various messaging channels (WhatsApp, Telegram, Discord, etc.) and has significant system capabilities (shell access, file system access). The documentation in references/security.md explicitly identifies this as a known risk.
  • Ingestion points: Messages received via 20+ messaging channels documented in references/channels.md.
  • Boundary markers: The skill uses mention patterns and command prefixes, but these are noted as bypassable in the security reference.
  • Capability inventory: Full shell execution (exec), file system read/write (read, write, edit), browser automation, and multi-agent spawning (sessions_spawn).
  • Sanitization: The documentation suggests treating external content as hostile but provides no automated sanitization for the agent's prompts.
  • [DATA_EXFILTRATION]: The skill allows the agent to access highly sensitive files such as ~/.openclaw/openclaw.json (config) and ~/.openclaw/.env (plaintext secrets). These can be exfiltrated using the web_fetch or message tools to external URLs or chat channels.
Recommendations
  • HIGH: Downloads and executes remote code from: https://openclaw.ai/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 08:51 AM