install-openclaw-to-hetzner
Fail
Audited by Snyk on Jun 22, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). Insecure: the skill explicitly asks the user to paste Telegram, LLM (Anthropic/OpenRouter) and Hetzner API tokens and then embeds those secrets verbatim into curl headers, cloud-init, hcloud context and other commands — forcing the LLM/agent to handle and output raw secret values.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The required runtime workflow ingests outsider-authored free text via Telegram updates: the wizard polls
https://api.telegram.org/bot<TOKEN>/getUpdatesto extractchat_idand later the user’s/startand subsequent messages are delivered by Telegram and processed by the OpenClaw gateway/LLM, so arbitrary user-authored text (not chosen by the operating user) can reach the agent’s LLM context.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill fetches and executes remote code at runtime (e.g., git clone https://github.com/CodeAlive-AI/ceo-ai-os.git then running its install.sh, piping https://deb.nodesource.com/setup_22.x to bash, and downloading the hcloud binary from https://github.com/hetznercloud/cli/releases/latest/download/...), which directly installs and runs code that configures the agent/workspace and is required for the install—this meets the criteria for a high-confidence runtime-executed external dependency.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly directs the agent to install system software (including sudo tar to /usr/local/bin), create and configure a VM (cloud-init that creates a sudo user "openclaw"), upload SSH keys, modify firewall rules, restart systemd services, and store API tokens/contexts — i.e. multiple privileged state-changing operations that modify the machine and require elevated privileges.
Issues (4)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata