openclaw-china-docker
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill documentation includes an explicit instruction in Pattern 3 (provided in Chinese) that directs the agent to ignore its default web search capabilities in favor of a specific third-party plugin.
- Ingestion points: User conversation (Pattern 3 instructions meant for chat input).
- Boundary markers: Absent from the recommended prompt string.
- Capability inventory: Host system access via Docker socket, persistent storage via volume mounts, and network access.
- Sanitization: No sanitization or safety delimiters are suggested for the injected instructions.
- [COMMAND_EXECUTION]: The documentation and example configurations (Pattern 4 and Troubleshooting) recommend mounting the host's Docker socket (
/var/run/docker.sock) into the container. This configuration provides the container—and any code executed by the agent within it—administrative privileges over the host's Docker daemon, representing a significant privilege escalation risk and enabling container escape. - [EXTERNAL_DOWNLOADS]: The skill relies on external code and assets from various sources, with notable naming inconsistencies between the GitHub repository (
justlovemaki) and the DockerHub image (justlikemaki). - Evidence: Repository URL
github.com/justlovemaki/openclaw-china-docker.gitvs. Docker imagejustlikemaki/openclaw-docker-cn-im. - Plugin Installation: Uses a custom command
npx openclaw plugin:installto fetch and execute third-party code (larksuite/openclaw-lark) at runtime.
Audit Metadata