Skills
skills/aradotso/hermes-skills/openclaw-deployment-installer/Gen Agent Trust Hub

openclaw-deployment-installer

Fail

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to download and execute shell scripts directly from a third-party GitHub repository by piping them to bash. This allows for arbitrary code execution on the user's system without any verification of the remote script's integrity.
  • Evidence: curl -fsSL https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/install.sh | bash in SKILL.md.
  • Evidence: curl -fsSL https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/config-menu.sh | bash in SKILL.md.
  • [COMMAND_EXECUTION]: The skill uses high-privilege and system-modifying commands to manage services and install software globaly.
  • Evidence: npm install -g openclaw performs a global package installation which often requires elevated permissions and modifies system state.
  • Evidence: chmod +x install.sh config-menu.sh changes file execution permissions.
  • Evidence: openclaw gateway start/stop/restart involves managing background system processes.
  • [CREDENTIALS_UNSAFE]: The skill documentation details how to store and manage sensitive API keys (Anthropic, OpenAI, Google Gemini, etc.) in local environment and JSON files. While common for setup, these commands expose credentials to the agent's context.
  • Evidence: Storage of secrets in ~/.openclaw/env and ~/.openclaw/openclaw.json.
  • Evidence: Use of openclaw config set <key> <value> to handle plain-text secrets.
  • [DATA_EXFILTRATION]: The skill provides commands to export and backup the entire configuration and conversation history, which includes the sensitive API keys and personal data mentioned above.
  • Evidence: openclaw export --format json and openclaw backup --output ~/openclaw-backup.tar.gz can package sensitive environment data for extraction.
  • [EXTERNAL_DOWNLOADS]: The skill relies on downloading and cloning code from external repositories that are not recognized as trusted vendors or well-known services.
  • Evidence: git clone https://github.com/miaoxworld/OpenClawInstaller.git.
  • [PROMPT_INJECTION]: The skill establishes a significant attack surface for indirect prompt injection by connecting the agent to external messaging channels (Telegram, Discord, WhatsApp, Feishu).
  • Ingestion points: Data entering from Telegram bots, Discord channels, and WhatsApp messages in SKILL.md.
  • Boundary markers: The skill does not provide instructions to the agent to distinguish between channel data and its own system instructions.
  • Capability inventory: The skill has access to shell execution (bash), file writing, and network operations via the openclaw CLI tool.
  • Sanitization: No sanitization or validation of input from messaging channels is described.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/config-menu.sh, https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
May 17, 2026, 11:51 AM
Security Audit — agent-trust-hub — openclaw-deployment-installer