openclaw-control-center
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download source code from an external GitHub repository.
- Evidence:
git clone https://github.com/TianyiDataScience/openclaw-control-center.gitin SKILL.md. - [REMOTE_CODE_EXECUTION]: The installation process involves executing external code through Node.js package managers and build scripts.
- Evidence: Sequential execution of
npm install,npm run build, andnpm run dev:uiafter cloning the repository. - [COMMAND_EXECUTION]: Multiple shell commands are provided to set up and run the environment.
- Evidence: Use of
git clone,cd,npm install,cp .env.example .env,npm run build,npm test, andnpm run dev:ui. - [DATA_EXFILTRATION]: The skill instructions involve reading and modifying sensitive local files and environment variables.
- Evidence: Accessing
~/.openclaw/openclaw.jsonand managing.envfiles containingLOCAL_API_TOKENand security flags. - [PROMPT_INJECTION]: The dashboard acts as a processing layer for untrusted agent data, creating a surface for indirect prompt injection.
- Ingestion points: Agent activity, token usage, and collaboration messages are ingested via API endpoints like
/api/hall/tasks/${task.id}/messagesand/api/usage/metrics(referenced in SKILL.md). - Boundary markers: Absent; no explicit delimiters or instructions to ignore embedded content are mentioned.
- Capability inventory: The installation scripts execute shell commands (
npm install,npm run dev:ui) and the dashboard performs network operations viafetch(referenced in SKILL.md). - Sanitization: Absent; no validation or escaping of external agent content is described in the documentation.
Recommendations
- AI detected serious security threats
Audit Metadata