openclaw-user-onboarding
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses SSH and SCP to perform remote management tasks, including file manipulation, ownership adjustment (
chown), and service management (systemctl). It employs theStrictHostKeyChecking=accept-newflag which, while common for automated setup, bypasses host key verification and introduces a potential Man-in-the-Middle risk.\n- [DATA_EXFILTRATION]: User identity, focus, and preference data is transmitted to a remote VM IP address. This is a functional requirement of the onboarding process, but users must verify the destination IP to ensure data is not sent to an unauthorized server.\n- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by storing free-form user input in the bot's persistent context file (USER.md).\n - Ingestion points: User answers to the onboarding questions provided in
SKILL.mdandreferences/01-questions.md.\n - Boundary markers: The generated profile file uses standard Markdown headers but lacks specific delimiters or warnings to prevent the agent from interpreting embedded text as instructions.\n
- Capability inventory: The skill executes commands and manages files on the remote VM, and the resulting profile influences the future behavior of the OpenClaw agent.\n
- Sanitization: No explicit sanitization or escaping mechanisms are applied to the user-provided text before it is written to the profile template.
Audit Metadata