openclaw
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill directs the agent to use
npx -y clawhub, which downloads and executes the 'clawhub' CLI tool directly from the npm registry during the session. - [EXTERNAL_DOWNLOADS]: The tool is designed to search for and download 'skills' from the external OpenClaw registry, introducing third-party code and markdown into the agent's filesystem and context.
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to run shell commands that modify the local environment by writing files to the
{skills_folder_path}directory. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection. \n
- Ingestion points: Data returned from the
clawhub searchcommand and the content of skills installed from the external registry are processed by the agent. \n - Boundary markers: There are no boundary markers or instructions to ignore embedded commands provided for the external data. \n
- Capability inventory: The agent has the capability to execute shell commands (
npx) and modify its own available tools through skill installation. \n - Sanitization: No mechanisms for validating or sanitizing the content fetched from the OpenClaw registry are defined in the skill.
Audit Metadata