openclaw-user-onboarding

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses SSH and SCP to perform remote management tasks, including file manipulation, ownership adjustment (chown), and service management (systemctl). It employs the StrictHostKeyChecking=accept-new flag which, while common for automated setup, bypasses host key verification and introduces a potential Man-in-the-Middle risk.\n- [DATA_EXFILTRATION]: User identity, focus, and preference data is transmitted to a remote VM IP address. This is a functional requirement of the onboarding process, but users must verify the destination IP to ensure data is not sent to an unauthorized server.\n- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by storing free-form user input in the bot's persistent context file (USER.md).\n
  • Ingestion points: User answers to the onboarding questions provided in SKILL.md and references/01-questions.md.\n
  • Boundary markers: The generated profile file uses standard Markdown headers but lacks specific delimiters or warnings to prevent the agent from interpreting embedded text as instructions.\n
  • Capability inventory: The skill executes commands and manages files on the remote VM, and the resulting profile influences the future behavior of the OpenClaw agent.\n
  • Sanitization: No explicit sanitization or escaping mechanisms are applied to the user-provided text before it is written to the profile template.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 04:55 AM
Security Audit — agent-trust-hub — openclaw-user-onboarding