openclaw-guide
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The reference guide contains numerous examples of commands requiring administrative privileges (
sudo) to manage system-level services viasystemctl, modify configuration files in protected directories, and manage cron jobs for theopenclawuser. - [EXTERNAL_DOWNLOADS]: The documentation includes instructions for downloading and executing software from the primary project domain, including an installation script (
https://openclaw.ai/install.sh) and various NPM packages. - [REMOTE_CODE_EXECUTION]: The skill details how to run remote MCP server packages using
uvxand provides patterns for piping remote scripts directly to a shell for installation and updates. - [PROMPT_INJECTION]: The skill describes a gateway system that ingests untrusted data from multiple external sources (Telegram, Discord, Slack, WhatsApp, iMessage), creating a surface for indirect prompt injection.
- Ingestion points: External messaging channels documented in
references/channels.md. - Boundary markers: The provided documentation does not specify the use of delimiters or safety instructions to isolate untrusted user messages from the agent's instructions.
- Capability inventory: The system is documented to have access to shell execution via the
exectool (as detailed inreferences/05-config-and-cli.md) and the ability to schedule and execute autonomous tasks via a cron system (documented inreferences/03-cron-heartbeat.md). - Sanitization: No specific sanitization or escaping mechanisms for inbound message content are described in the provided reference materials.
Audit Metadata