install-openclaw-to-digitalocean

Fail

Audited by Snyk on Jun 22, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The wizard explicitly asks the user to paste API tokens (DigitalOcean, Telegram, Anthropic/OpenRouter) and instructs the agent to embed those exact values verbatim into user-data/cloud-init and into commands/HTTP headers (e.g., Authorization, --access-token, ANTHROPIC_API_KEY=…), so the LLM must handle and output secrets directly — an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The skill intentionally provisions a VM running an LLM-driven agent with loopback-only gateway that can execute arbitrary commands, stores Telegram/LLM credentials in plaintext (and leaves rendered cloud-init in metadata), opens SSH to the world and unrestricted egress, and clones/installs remote packages — creating explicit, high-risk capabilities for remote code execution, credential exposure, and data exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.95). Outsider free text is ingested via Telegram: the user (an outsider to the operating user) sends /start and subsequent messages, which the OpenClaw gateway forwards into the LLM context for response generation (Step 4/5 Telegram pairing + ongoing chat).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly provisions infrastructure and changes machine state: it creates a Droplet, uploads SSH keys, creates a new Linux user (openclaw) with sudo (no password), installs packages, modifies systemd services (systemctl), configures firewalls/ufw, and stores provider credentials in plaintext—i.e. it asks the agent to perform privileged, state-changing operations that can compromise the host.

Issues (5)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 22, 2026, 04:55 AM
Issues
5
Security Audit — snyk — install-openclaw-to-digitalocean