coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (SKILL.md and README) explicitly tell OpenClaw to clone and review public GitHub repos/PRs (e.g., git clone https://github.com/user/repo.git, git fetch refs/pull/*) and to run kiro-cli chat for external queries, meaning the agent will fetch, read, and act on arbitrary public web/user-generated content that could contain injected instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README instructs running a remote installer with "curl -fsSL https://cli.kiro.dev/install | bash", which fetches and executes remote code at setup and is presented as a required dependency for Kiro integration, so it constitutes a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly promotes bypassing sandboxing and auto-approvals (e.g., Codex --yolo, Kiro --trust-all-tools, and an "elevated" host mode) which encourages running agents with host-level access and disabling security controls, enabling arbitrary and potentially privileged changes to the machine.