openclaw-security-hardening

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs are suspicious because they include direct links to executable shell scripts hosted on unknown or plaintext-HTTP domains (unknown-domain.com/script.sh, http://example.com/setup.sh) plus an unvetted/third-party GitHub repo and short domain (ara.so) that should be reviewed before downloading or piping into a shell.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs cloning a public GitHub repository (git clone https://github.com/slowmist/openclaw-security-practice-guide.git) and tells the agent to "read the OpenClaw Security Practice Guide v2.8 from docs/OpenClaw-Security-Practice-Guide-v2.8.md" and load its red/yellow rules, which the agent is then expected to act on (deploy scripts, install cron jobs, change configs), meaning untrusted third‑party content can directly influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs cloning and using the repository at https://github.com/slowmist/openclaw-security-practice-guide.git at runtime and sending the fetched guide (e.g., docs/OpenClaw-Security-Practice-Guide-v2.8.md) to the OpenClaw agent to drive deployment and behavior, so the external repo content is fetched at runtime, directly controls agent instructions, and is relied on as a required dependency.