openclaw-awd-arena
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Clones the core platform source code from a third-party GitHub repository (github.com/LYiHub/OpenClaw-AWD-Arena.git) and pulls multiple Docker images from public registries.
- [COMMAND_EXECUTION]: Mounts the host's Docker socket (/var/run/docker.sock) into the referee container, which allows the container to have full administrative control over the host's Docker daemon and all other containers.
- [COMMAND_EXECUTION]: The automated agents (AWDAgent) dynamically execute shell commands (via execute_commands and execute_exploits) that are generated by an LLM in response to real-time competition data.
- [COMMAND_EXECUTION]: Troubleshooting instructions require the use of sudo to manage system-level services (systemctl restart docker).
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface where untrusted competition data influences agent actions.
- Ingestion points: Target service information and network scan data are ingested into LLM prompts in agent/main.py.
- Boundary markers: No specific boundary markers or delimiters are used in the prompt templates to separate instructions from competition data.
- Capability inventory: Agents possess the capability to execute arbitrary shell commands and perform network operations.
- Sanitization: The skill lacks evidence of sanitization or validation of the LLM-generated strings before they are executed as system commands.
Audit Metadata