openclaw-awd-arena

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly enables automated offensive operations: LLM agents are instructed to generate and execute exploit commands, containers are provisioned with offensive tooling (nmap, netcat), the referee suggests mounting /var/run/docker.sock (allowing host-level Docker control), and agent/referee interactions send potentially sensitive target and credential data to external LLM APIs — together these behaviors create clear, high-risk capabilities for remote code execution, credential/data exfiltration, and host compromise (no obfuscated/backdoor payloads were found, but the orchestration itself is intentionally dangerous and easily repurposed for real-world attacks).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The installation steps clone and then build/run code from the external repository https://github.com/LYiHub/OpenClaw-AWD-Arena.git (followed by docker-compose up), so remote code is fetched at runtime and executed as a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs editing host system files (e.g., /etc/docker/daemon.json), running sudo/systemctl (e.g., sudo systemctl restart docker), and mounting /var/run/docker.sock into containers—actions that require root privileges and can allow containers to control or modify the host—so it encourages changing the machine state and bypassing protections.