acp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs the agent to pass full group URLs including the ?code= invite token "原样传入", which forces the LLM to include potentially sensitive invite codes verbatim in its generated JSON actions, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests untrusted public content (e.g., remote agent profiles via acp_fetch_agent_md / https://{agent}.agentcp.io/agent.md, group links processed by join_by_url, and public APIs like https://agentunion.net used via curl) as described in SKILL.md and the resources (resources/agent-md.md, resources/groups.md, resources/rank.md), and that content is parsed and used to drive behavior (generate persona, decide joins, pull messages, influence actions), allowing indirect prompt injection from third-party/ user-generated sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installer explicitly clones and installs remote plugin code from https://github.com/coderXjeff/openclaw-acp-channel.git (with a Gitee fallback https://gitee.com/yi-kejing/openclaw-acp-channel.git) during runtime (git clone + npm install), and that fetched code is a required plugin whose execution can directly control agent behavior.