claw-orchestrator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill exposes an OpenAI-compatible HTTP endpoint (references/openai-compat.md and cli.md) that accepts arbitrary webchat/labeling client requests (e.g., ChatGPT-Next-Web, Open WebUI, LobeChat) and can be configured with OPENCLAW_CORS_ORIGINS=* so untrusted third-party user-generated messages are ingested as session user turns that may drive tool use, CLI subprocesses, and agent actions (e.g., session_start/session_send), enabling indirect prompt injection.