openclaw-zero-token

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). While the list contains legitimate references (Hugging Face, Anthropic/claude.ai, arXiv, nodesource, GitHub), it also includes unknown third‑party domains, multiple GitHub repos from unvetted authors, localhost/debug endpoints and explicit instructions to run Chrome in remote‑debug mode and capture/store browser auth tokens — a pattern that enables credential exfiltration and running arbitrary code, so the combined set is a significant security risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High risk: the skill is explicitly designed to capture browser cookies/bearer tokens to bypass paid API keys, stores sensitive auth data, exposes a Chrome debug port, and includes an exec/tool-calling capability—features that enable credential harvesting, arbitrary command execution, and potential data exfiltration or remote compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows the gateway and agent tooling fetch and summarize public web pages (Tool Calling -> web_search / web_fetch) and the onboarding flow drives a browser to public chat sites (e.g., https://chat.deepseek.com, claude.ai, etc.) so the agent reads and acts on untrusted, user-generated/open-web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The installation steps fetch and execute remote code (curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash) and clone/run the repository (git clone https://github.com/linuxhsj/openclaw-zero-token.git then pnpm install/build), so these URLs are runtime external dependencies that result in executing fetched code.