openclaw-client-bootstrap

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly requires collecting API keys, tokens, and secrets and shows/encourages embedding them into .env files and command invocations (e.g., inline OPENAI_API_KEY=sk-... bash ... and replacing template placeholders), which forces the agent to handle or output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clearly ingests public, user-generated content via runtime skills (e.g., assets/runtime-skills/find-customers-openclawth and unclawg-discover) that call wrapper commands like fcoc_search / uc_discover to query Reddit, Hacker News, Twitter/X and LinkedIn (Apify), and the agent is expected to read and act on those posts (ranking candidates and creating approval/action proposals), which lets untrusted third‑party text materially influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install/bootstrap scripts run at runtime fetch-and-execute remote installers (e.g., curl -fsSL https://deb.nodesource.com/setup_22.x | bash, curl -fsSL https://tailscale.com/install.sh | sh, and curl -fsSL https://openclaw.ai/install.sh | bash), which are required by the deployment workflow and thus present a high-risk external-code-execution dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs installing software, configuring Tailscale, modifying systemd services, firewall rules, and running remote scripts/SSH actions that require elevated privileges and can change system files and users, so it directs actions that modify the host state.