openclaw-coder-playbook
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface where it consumes data from untrusted external sources and uses it to drive agent behavior.
- Ingestion points: The skill reads user messages from chat history (via the
messagetool withaction: "read") and parses project-specific documentation and configuration files located in~/projects/{PROJECT_NAME}/docs/(e.g.,welcome.md,workspace.md). - Boundary markers: While the skill uses a
[WORK]header as a state marker in conversation history to recover context, it does not implement explicit delimiters or safety instructions to prevent the agent from obeying instructions embedded within user messages or project files. - Capability inventory: The skill executes local shell commands (
git,ls), interacts with theopenclawgateway session management, and delegates tasks to thealignfirst-coachingCLI using theexectool. - Sanitization: There is no evidence of sanitization or strict validation for variables like
TICKET_IDorPROJECT_NAMEbefore they are interpolated into shell commands or passed to the coding agent. - [COMMAND_EXECUTION]: The skill relies on executing local system commands and vendor-specific CLI tools to manage the development lifecycle.
- Evidence: The skill uses the
exectool to run thealignfirst-coachingagent. It also performs direct Git operations, includinggit fetch,git status,git merge, andgit diff, and uses theopenclawCLI for session resets. These operations are functional components of the workspace but depend on the integrity of inputs derived from user communications.
Audit Metadata