install-openclaw-to-yc
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Fetches and executes the official Yandex Cloud CLI installer from
storage.yandexcloud.net. This is a standard procedure for installing necessary cloud management tools. - [REMOTE_CODE_EXECUTION]: Downloads and executes the NodeSource setup script to install Node.js 22 LTS on the remote VM during the bootstrap phase.
- [COMMAND_EXECUTION]: Performs numerous administrative tasks such as generating SSH keys (
ssh-keygen), managing remote files (ssh,scp), and configuring cloud resources (ycCLI). - [COMMAND_EXECUTION]: Uses
shredto securely delete sensitiveuser-datafiles containing tokens after the VM bootstrap is complete. Automated scanner alerts for 'destructive commands' were evaluated as false positives in this context of secret scrubbing. - [EXTERNAL_DOWNLOADS]: Downloads the OpenClaw software and associated 'CEO AI OS' workspace from the author's official GitHub repository (
CodeAlive-AI/ceo-ai-os). - [PROMPT_INJECTION]: Employs strict instructional directives (e.g., 'don't bother the user' rules) to control agent behavior, ensuring a non-interactive and autonomous user experience during installation. These are benign UX optimizations.
- [DATA_EXFILTRATION]: Collects Telegram and LLM credentials from the user. These are correctly handled by being written to a secured environment file (
~/.openclaw/gateway.env) on the remote VM. No evidence of exfiltration to unauthorized parties was found. - [INDIRECT_PROMPT_INJECTION]: Processes external data via 'workshop bundles' (JSON files). The skill mitigates risks by validating the file schema and using structured parsing (
jq) rather than executing the content directly.
Audit Metadata