openclaw-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs connecting to and ingesting user-generated content from public messaging channels (Telegram group/DM history and iMessage) and external web services (Brave/Tavily search, link previews, and ClawHub community skills) as part of the required setup and runtime workflow (see SKILL.md and references/telegram-channel.md, references/imessage-channel.md, references/mac-local-setup.md, and references/anthropic-auth.md), so untrusted third-party content can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs running remote install scripts and cloning repos at runtime—e.g., curl -fsSL https://openclaw.ai/install.sh | bash (also curl -fsSL https://get.docker.com | sh, /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)", curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash, and git clone https://github.com/openclaw/openclaw.git)—which clearly fetch and execute remote code and are presented as the recommended/required install path.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs installing software (curl | bash installer), installing a system daemon, changing Docker/system bindings and running system-level checks—actions that modify system files and services and typically require elevated privileges—so it pushes the agent to change the machine state.