openclaw-deployment-installer
Audited by Snyk on May 17, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Although several links point to legitimate APIs (Anthropic, Telegram, Discord, Ollama, Feishu), the skill instructs downloading and executing raw shell scripts from a relatively unknown GitHub user (raw.githubusercontent.com/.../install.sh and config-menu.sh) and references unspecified/custom endpoints that could be swapped for malicious backends — direct curl|bash of unvetted scripts and unknown repo binaries are high-risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly configures messaging integrations (Telegram, Discord, WhatsApp, Feishu) and bot message intents (e.g., "Message Content Intent", im.message.receive_v1, WhatsApp QR login) so the agent will ingest and act on arbitrary user-generated messages from those public/third‑party channels.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill instructs users to fetch and execute remote installer scripts at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/install.sh | bash and curl -fsSL https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/config-menu.sh | bash, and git clone https://github.com/miaoxworld/OpenClawInstaller.git), which runs remote code and is used as the installer/deployment path.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire document for literal, high-entropy values that could be used to access services.
Flagged:
- Telegram bot token "123456789:ABCdefGHIjklMNOpqrsTUVwxyz" — this is a full token-like string in the docs (numeric bot id + long random suffix). It matches the Telegram Bot token format and is not displayed as a clearly redacted/placeholder value, so it appears as a usable credential.
Ignored (not flagged) and why:
- ANTHROPIC_API_KEY="sk-ant-xxxxx", OPENAI_API_KEY="sk-xxxxx", OPENROUTER_API_KEY="sk-or-xxxxx", GROQ_API_KEY="gsk_xxxxx", GEMINI_API_KEY="your-gemini-key", MISTRAL_API_KEY="your-mistral-key" — clearly redacted or placeholder-style values (low entropy / masked), so treated as examples/placeholders.
- Feishu appId "cli_xxxxxxxxx" and appSecret "your-app-secret" — placeholder/redacted.
- Numeric IDs (userId "987654321", channelId "1234567890123456789", other numeric IDs) — not secrets.
- Other example values and simple strings in examples (e.g., "your-api-key-here", "your-service-role-key", "SecurePassword123!") — documentation placeholders or example passwords per the rules.
No private key/PEM blocks or other high-entropy secrets were found.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt instructs running a remote installer (curl | bash), globally installing packages (npm -g), and auto-starting a gateway service—actions that modify system files/services and likely require elevated privileges, so it can change the machine state.
Issues (5)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Attempt to modify system services in skill instructions.