Skills
skills/majiayu000/claude-arsenal/openclaw-deploy/Gen Agent Trust Hub

openclaw-deploy

Fail

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill downloads and executes shell scripts from nodesource.com and openclaw.ai using the curl | bash pattern to install Node.js and the OpenClaw application. While nodesource.com is a well-known service provider, executing remote scripts from third-party vendor domains without integrity verification represents a security risk.
  • [COMMAND_EXECUTION]: The skill performs significant system-level modifications, such as moving the original /usr/bin/chromium binary to a backup location and replacing it with a custom-generated shell wrapper script.
  • [COMMAND_EXECUTION]: The deployment process includes runtime modifications to the application's distribution files located in /usr/lib/node_modules/openclaw/dist/ using sed to alter hardcoded timeout constants.
  • [CREDENTIALS_UNSAFE]: The skill prompts users for highly sensitive information, including SSH connection details, AI provider API keys, and messaging bot tokens. These credentials are subsequently stored in configuration files and systemd environment variables on the target server.
  • [COMMAND_EXECUTION]: Persistence is established on the target server by creating and enabling multiple systemd user services (openclaw-gateway.service, proxy-relay.service, xvfb.service) and enabling user lingering via loginctl.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection and command injection because user-supplied inputs, such as SSH arguments and API keys, are directly interpolated into shell commands and configuration files without formal sanitization.
  • Ingestion points: Sensitive data enters via AskUserQuestion tools in the '第一步:收集信息' section of SKILL.md.
  • Boundary markers: There are no formal delimiters or instructions to the model to ignore potential control characters in user input during interpolation.
  • Capability inventory: The skill leverages powerful capabilities including remote shell execution (ssh), file system modification (cat, sed, mv), and system service management (systemctl).
  • Sanitization: The skill lacks automated input validation; the documentation only contains a textual warning (Pitfall #28) advising users to manually wrap tokens in single quotes to avoid shell errors.
Recommendations
  • HIGH: Downloads and executes remote code from: https://rpm.nodesource.com/setup_22.x, https://deb.nodesource.com/setup_22.x, https://openclaw.ai/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 14, 2026, 07:13 AM
Security Audit — agent-trust-hub — openclaw-deploy