install-openclaw-to-yc
Fail
Audited by Snyk on Jun 22, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user to paste Telegram bot tokens and LLM API keys and instructs the agent to embed those secret values verbatim into cloud-init, environment files, and command headers (e.g., curl -H "x-api-key: …"), which requires the LLM to handle and output secrets directly — a high exfiltration risk.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). The list contains multiple direct installer scripts and runtime installs (NodeSource deb.nodesource.com script, Yandex Cloud install.sh fetched and piped to bash, npm package endpoints and a GitHub repo distributing install/bootstrap code), plus workshop-bundle handling and self-run cloud-init that execute remote code—patterns (curl|bash, direct .sh installers, npm/global packages, repo-distributed installers) are high-risk delivery vectors if the sources or repo are unverified and thus could be used to distribute malware.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Outsider free text can enter the LLM context via the Telegram channel: the user’s
/startand subsequent messages (authored by a non-operating-user) are ingested by the OpenClaw gateway and forwarded to the agent’s LLM as chat content, enabling indirect prompt injection.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill clearly executes remote install/bootstrap code at runtime (e.g., "curl -fsSL https://storage.yandexcloud.net/yandexcloud-yc/install.sh | bash" to install yc, "curl -fsSL https://deb.nodesource.com/setup_22.x | bash" to install Node, "git clone --depth 1 https://github.com/CodeAlive-AI/ceo-ai-os.git" followed by running its install.sh, npm install -g openclaw from the npm registry, and runtime "npx skills add CodeAlive-AI/ceo-ai-os@openclaw-guide"), so these URLs/remote package fetches are required at runtime and fetch+execute remote code that directly controls agent behavior.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs the agent to create and configure VMs, create a sudo-enabled user account, modify systemd services and config files, install CLIs and SSH keys, and open SSH/network ingress (0.0.0.0/0) — all actions that change machine state and require privileged operations, so it should be flagged.
Issues (5)
W007
HIGHInsecure credential handling detected in skill instructions.
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata