configure-notifications
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the configuration of arbitrary shell commands via the
custom_cli_commandandopenclaw.gatewayssettings. It provides templates that execute shell commands (e.g.,clawdbot agent) with redirections (>>,2>&1) and logic gates (|| true). - [DATA_EXFILTRATION]: The configuration allows the setup of
custom_webhook_commandand various native webhooks (Discord, Slack). This establishes a mechanism to send session data, instructions, and questions to external, user-defined URLs. - [CREDENTIALS_UNSAFE]: The skill is designed to collect and store sensitive platform tokens and webhook URLs in a local configuration file at
~/.codex/.omx-config.json. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by interpolating dynamic event data into command and webhook templates.
- Mandatory Evidence Chain (Category 8):
- Ingestion points: Untrusted data enters the context via variables like
{{instruction}},{{question}},{{reason}}, and{{event}}inSKILL.md. - Boundary markers: None present; variables are interpolated directly into shell command strings and notification bodies.
- Capability inventory: The skill configures shell command execution (
custom_cli_command) and network requests (custom_webhook_command). - Sanitization: No sanitization or validation logic is provided within the skill's instructions for the interpolated content.
- [EXTERNAL_DOWNLOADS]: The verification guidance includes running
npm run build, which typically triggers the execution of build scripts and the retrieval of external dependencies from public registries.
Audit Metadata