openclaw-security-practice-guide

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Mixed signals: several links point to reputable GitHub documentation (low risk), but the set also includes raw/content endpoints and direct .sh/script links (raw.githubusercontent, example.com/script.sh), an unknown domain (ara.so), and a repo named "suspicious-skill" — all of which can readily host or serve executable scripts/binaries and are therefore capable of distributing malware if untrusted or modified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The guide explicitly instructs the agent to fetch and read public third-party content (e.g., "Step 1: curl -O https://raw.githubusercontent.com/slowmist/.../OpenClaw-Security-Practice-Guide-v2.8.md", the Skill Installation Audit Protocol's "git clone skill-review", and the External Script Review "curl -o script.sh https://example.com/script.sh") and then to evaluate or act on that content, which could allow untrusted/user-generated content to influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick Start explicitly instructs downloading the guide at runtime via curl (e.g. https://raw.githubusercontent.com/slowmist/openclaw-security-practice-guide/main/docs/OpenClaw-Security-Practice-Guide-v2.8.md and the v2.7 variant), and then tells the agent to read and follow that downloaded markdown, so external content fetched at runtime would directly control agent instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The guide explicitly assumes/requests root/sudo-capable execution and contains numerous instructions that modify system state (install cron jobs, change ownership/permissions, chattr, crontab edits, apt installs, inspect/modify SSH keys, etc.), so it pushes the agent to perform privileged, state-changing operations.