openclaw-coder-playbook

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface where it consumes data from untrusted external sources and uses it to drive agent behavior.
  • Ingestion points: The skill reads user messages from chat history (via the message tool with action: "read") and parses project-specific documentation and configuration files located in ~/projects/{PROJECT_NAME}/docs/ (e.g., welcome.md, workspace.md).
  • Boundary markers: While the skill uses a [WORK] header as a state marker in conversation history to recover context, it does not implement explicit delimiters or safety instructions to prevent the agent from obeying instructions embedded within user messages or project files.
  • Capability inventory: The skill executes local shell commands (git, ls), interacts with the openclaw gateway session management, and delegates tasks to the alignfirst-coaching CLI using the exec tool.
  • Sanitization: There is no evidence of sanitization or strict validation for variables like TICKET_ID or PROJECT_NAME before they are interpolated into shell commands or passed to the coding agent.
  • [COMMAND_EXECUTION]: The skill relies on executing local system commands and vendor-specific CLI tools to manage the development lifecycle.
  • Evidence: The skill uses the exec tool to run the alignfirst-coaching agent. It also performs direct Git operations, including git fetch, git status, git merge, and git diff, and uses the openclaw CLI for session resets. These operations are functional components of the workspace but depend on the integrity of inputs derived from user communications.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 05:28 AM
Security Audit — agent-trust-hub — openclaw-coder-playbook