jqopenclaw-node-invoker

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill is essentially a remote-control/backdoor specification — exposing file read/write, recursive listing/search (rg), remote exec (process.exec/system.run), process management/kill, screenshots, clipboard read/write, synthetic input, and self-update via downloaded binaries — which together enable data exfiltration, credential theft, remote code execution, disabling security processes, and supply‑chain style updates, making it highly weaponizable and malicious in intent or effect if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill allows invoking node.selfUpdate with an arbitrary HTTP/HTTPS downloadUrl (references/command-spec.md and SKILL.md), causing the agent to direct the node to fetch and run remote binaries—clearly ingesting untrusted third-party content that can materially change actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's node.selfUpdate action requires a runtime downloadUrl (http/https) which the node will HTTP-download and run an update script/batch (executing remote code), so external URLs are used at runtime to fetch and execute code (parameter: downloadUrl).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly enables and maps to actions that modify system state (file.write including delete/move, process.manage/kill, process.exec/system.run, node.selfUpdate, input control), which can change or damage the host even if it says not to escalate privileges, so it should be flagged.