skills/itechmeat/llm-code/picoclaw/Gen Agent Trust Hub

picoclaw

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill documents the 'tools.exec' and 'hooks' systems which allow the agent to execute shell commands and trigger external scripts (e.g., 'python3 /tmp/review_gate.py'). It provides security guidance on using regex-based deny patterns to mitigate risk.
  • [EXTERNAL_DOWNLOADS]: Documents the 'picoclaw skills install' command used to fetch and install additional agent capabilities from GitHub repositories (e.g., 'sipeed/picoclaw-skills') or remote registries like 'ClawHub'.
  • [PROMPT_INJECTION]: Documents an architecture with an indirect prompt injection surface due to the ingestion of data from various chat platforms (Telegram, Discord, Slack, etc.) combined with executable capabilities like shell access.
  • Ingestion points: Chat channels such as Telegram, Discord, Slack, WhatsApp, and WeCom as described in 'references/channels.md'.
  • Boundary markers: No explicit instruction delimiters or boundary markers are documented in the reference material to isolate untrusted channel data.
  • Capability inventory: Shell command execution via 'tools.exec' and the ability to download/execute remote skills via 'picoclaw skills install'.
  • Sanitization: The documentation recommends the use of 'tools.exec.enable_deny_patterns' and 'custom_deny_patterns' to filter dangerous commands.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 06:38 AM
Security Audit — agent-trust-hub — picoclaw