openclaw-guide

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The reference guide contains numerous examples of commands requiring administrative privileges (sudo) to manage system-level services via systemctl, modify configuration files in protected directories, and manage cron jobs for the openclaw user.
  • [EXTERNAL_DOWNLOADS]: The documentation includes instructions for downloading and executing software from the primary project domain, including an installation script (https://openclaw.ai/install.sh) and various NPM packages.
  • [REMOTE_CODE_EXECUTION]: The skill details how to run remote MCP server packages using uvx and provides patterns for piping remote scripts directly to a shell for installation and updates.
  • [PROMPT_INJECTION]: The skill describes a gateway system that ingests untrusted data from multiple external sources (Telegram, Discord, Slack, WhatsApp, iMessage), creating a surface for indirect prompt injection.
  • Ingestion points: External messaging channels documented in references/channels.md.
  • Boundary markers: The provided documentation does not specify the use of delimiters or safety instructions to isolate untrusted user messages from the agent's instructions.
  • Capability inventory: The system is documented to have access to shell execution via the exec tool (as detailed in references/05-config-and-cli.md) and the ability to schedule and execute autonomous tasks via a cron system (documented in references/03-cron-heartbeat.md).
  • Sanitization: No specific sanitization or escaping mechanisms for inbound message content are described in the provided reference materials.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 04:54 AM
Security Audit — agent-trust-hub — openclaw-guide