install-openclaw-to-digitalocean
Fail
Audited by Snyk on Jun 22, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The wizard explicitly asks the user to paste API tokens (DigitalOcean, Telegram, Anthropic/OpenRouter) and instructs the agent to embed those exact values verbatim into user-data/cloud-init and into commands/HTTP headers (e.g., Authorization, --access-token, ANTHROPIC_API_KEY=…), so the LLM must handle and output secrets directly — an exfiltration risk.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill intentionally provisions a VM running an LLM-driven agent with loopback-only gateway that can execute arbitrary commands, stores Telegram/LLM credentials in plaintext (and leaves rendered cloud-init in metadata), opens SSH to the world and unrestricted egress, and clones/installs remote packages — creating explicit, high-risk capabilities for remote code execution, credential exposure, and data exfiltration if abused.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.95). Outsider free text is ingested via Telegram: the user (an outsider to the operating user) sends
/startand subsequent messages, which the OpenClaw gateway forwards into the LLM context for response generation (Step 4/5 Telegram pairing + ongoing chat).
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill fetches and executes remote code at runtime (e.g., it runs curl -fsSL https://deb.nodesource.com/setup_22.x | bash
- to install Node.js, git-clones and runs https://github.com/CodeAlive-AI/ceo-ai-os.git/install.sh, and may download doctl tarballs from https://github.com/digitalocean/doctl/releases/...), which directly executes external code and is required for the install.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly provisions infrastructure and changes machine state: it creates a Droplet, uploads SSH keys, creates a new Linux user (openclaw) with sudo (no password), installs packages, modifies systemd services (systemctl), configures firewalls/ufw, and stores provider credentials in plaintext—i.e. it asks the agent to perform privileged, state-changing operations that can compromise the host.
Issues (5)
W007
HIGHInsecure credential handling detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata