picoclaw
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the 'tools.exec' and 'hooks' systems which allow the agent to execute shell commands and trigger external scripts (e.g., 'python3 /tmp/review_gate.py'). It provides security guidance on using regex-based deny patterns to mitigate risk.
- [EXTERNAL_DOWNLOADS]: Documents the 'picoclaw skills install' command used to fetch and install additional agent capabilities from GitHub repositories (e.g., 'sipeed/picoclaw-skills') or remote registries like 'ClawHub'.
- [PROMPT_INJECTION]: Documents an architecture with an indirect prompt injection surface due to the ingestion of data from various chat platforms (Telegram, Discord, Slack, etc.) combined with executable capabilities like shell access.
- Ingestion points: Chat channels such as Telegram, Discord, Slack, WhatsApp, and WeCom as described in 'references/channels.md'.
- Boundary markers: No explicit instruction delimiters or boundary markers are documented in the reference material to isolate untrusted channel data.
- Capability inventory: Shell command execution via 'tools.exec' and the ability to download/execute remote skills via 'picoclaw skills install'.
- Sanitization: The documentation recommends the use of 'tools.exec.enable_deny_patterns' and 'custom_deny_patterns' to filter dangerous commands.
Audit Metadata