search-layer
Warn
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill fetches data from arbitrary external sources, including websites, GitHub discussions, and Reddit threads, and provides this content to an LLM for relevance scoring in
relevance_gate.pyand knowledge synthesis insearch.py. This introduces a risk of indirect prompt injection where malicious instructions embedded in a searched page could attempt to manipulate the agent's logic or output. - Ingestion points: Web content is fetched and processed in
fetch_thread.py,search.py(via Grok results), andchain_tracker.py. - Boundary markers: Limited use of XML-style tags (e.g.,
<query>) is present in some prompts, but there is no comprehensive isolation for general web content passed to the LLM. - Capability inventory: The skill can perform network requests to multiple APIs and read local system configuration files.
- Sanitization: Fetched content is truncated to limit token usage but is not sanitized to remove potential instructional patterns or malicious injections.
- [COMMAND_EXECUTION]: The skill requires the execution of local Python scripts (
search.py,fetch_thread.py,chain_tracker.py) with arguments derived from potentially untrusted user search queries. Furthermore,scripts/search.pydynamically loads thefetch_thread.pymodule at runtime usingimportlib.util.spec_from_file_locationwith a path calculated from the file's current location. - [DATA_EXFILTRATION]: The skill accesses sensitive local files to retrieve authentication credentials, specifically reading
~/.openclaw/credentials/search.jsonfor search provider keys and scanning~/.git-credentialsfor GitHub personal access tokens. While these are necessary for the skill's primary functionality, they involve reading sensitive authentication data from the user's home directory.
Audit Metadata