install-openclaw-to-yc

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Fetches and executes the official Yandex Cloud CLI installer from storage.yandexcloud.net. This is a standard procedure for installing necessary cloud management tools.
  • [REMOTE_CODE_EXECUTION]: Downloads and executes the NodeSource setup script to install Node.js 22 LTS on the remote VM during the bootstrap phase.
  • [COMMAND_EXECUTION]: Performs numerous administrative tasks such as generating SSH keys (ssh-keygen), managing remote files (ssh, scp), and configuring cloud resources (yc CLI).
  • [COMMAND_EXECUTION]: Uses shred to securely delete sensitive user-data files containing tokens after the VM bootstrap is complete. Automated scanner alerts for 'destructive commands' were evaluated as false positives in this context of secret scrubbing.
  • [EXTERNAL_DOWNLOADS]: Downloads the OpenClaw software and associated 'CEO AI OS' workspace from the author's official GitHub repository (CodeAlive-AI/ceo-ai-os).
  • [PROMPT_INJECTION]: Employs strict instructional directives (e.g., 'don't bother the user' rules) to control agent behavior, ensuring a non-interactive and autonomous user experience during installation. These are benign UX optimizations.
  • [DATA_EXFILTRATION]: Collects Telegram and LLM credentials from the user. These are correctly handled by being written to a secured environment file (~/.openclaw/gateway.env) on the remote VM. No evidence of exfiltration to unauthorized parties was found.
  • [INDIRECT_PROMPT_INJECTION]: Processes external data via 'workshop bundles' (JSON files). The skill mitigates risks by validating the file schema and using structured parsing (jq) rather than executing the content directly.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 04:54 AM
Security Audit — agent-trust-hub — install-openclaw-to-yc