zeroclaw

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly documents ingesting public/untrusted user-generated content via many channels (CHANNELS.md: Telegram, Discord, Slack, Webhook, X/Twitter, Email, MQTT, etc.) and instructs a validation workflow that uses a permissive allowlist ("*") and shows in-chat commands (e.g., /model) and web_search/browser/HTTP request features that let the agent fetch and act on arbitrary third-party content, so external content can materially influence model/provider selection and runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installation instructions include "git clone https://github.com/zeroclaw-labs/zeroclaw.git && ./bootstrap.sh" (and similarly recommend cloning the skill repo https://github.com/Perseusmx/zeroclaw-skill.git), which fetches remote code and runs a bootstrap script—i.e., executes remote code during setup and is a required dependency for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt includes commands that install/control system services (e.g. "zeroclaw service install"/systemd), run bootstrap scripts, and flash firmware—actions that modify system-level state and can require elevated privileges.