openclaw-map
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill explicitly maps and documents the path
~/.openclaw/credentials/, which is stated to contain OAuth tokens and secrets. Providing an AI agent with the specific location of sensitive credential storage increases the risk of unauthorized data exposure or accidental exfiltration. - [COMMAND_EXECUTION]: The skill includes a maintenance script (
scripts/update-baseline.sh) and instructions inreferences/environment.mdthat utilizenpx openclawandnode -eto execute code and extract environment data. These patterns involve the execution of external packages and dynamic code at runtime. - [PROMPT_INJECTION]: The skill establishes an attack surface for indirect prompt injection by instructing agents to read and navigate untrusted data sources.
- Ingestion points: The agent is directed to read session transcripts in
~/.openclaw/agents/<agentId>/sessions/*.jsonl, workspace metadata in~/.openclaw/workspace/*.md, and cron run logs in~/.openclaw/cron/runs/*.jsonl. - Boundary markers: There are no instructions or delimiters provided to ensure the agent ignores embedded instructions within these data files.
- Capability inventory: The agent typically has broad capabilities including file system modification, command execution via the OpenClaw CLI, and potentially network access.
- Sanitization: No sanitization or validation of the content within the session logs or workspace files is performed before the agent processes them.
Recommendations
- AI detected serious security threats
Audit Metadata