openclaw

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The first URL (127.0.0.1:18789) is a local loopback dashboard and not an external download source, but the second (https://openclaw.ai/install.sh) is a direct shell-install script from an external domain — piping remote .sh to bash is a high-risk pattern unless you fully trust and have inspected the provider and the script.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes the agent to untrusted third‑party content via its browser and web tools (references/browser.md shows commands like openclaw browser ... open <url> and JS evaluation), the web_fetch/web_search tool and Firecrawl fallback (references/diffs_firecrawl.md and tools groups referencing web_fetch/web_search), and the public ClawHub registry (references/clawhub.md) — all of which ingest public webpages, user-generated skills, or arbitrary URLs that the agent is expected to read and which can influence subsequent tool actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill explicitly guides installing and managing a self-hosted gateway (including a curl|bash install, service installation/management, doctor --fix and security audit --fix) which encourages modifying system services/files and performing system-level changes that can alter the machine state even though it does not explicitly instruct creating users or bypassing sudo.