openclaw-rl-training

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Rollout Collector and OPD workflows explicitly ingest live user/environment feedback and conversations (see "Rollout Collector" / collect_rollouts.py and rollout_opd.py with get_next_feedback and extract_hint_from_feedback, plus rollout configuration/session-aware collection) which are untrusted user-generated inputs that the agent reads and uses to create teacher prompts, compute rewards, and drive training—allowing third-party content to materially influence agent behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes code that executes agent-generated shell commands (subprocess.run with shell=True) and automated GUI actions, enabling an agent to run arbitrary commands that can modify the host system even though it doesn't explicitly request sudo or create users.