clickclack

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md "Verify" and "Surfaces" steps explicitly instruct fetching public site/docs content (e.g., curl -fsS http://127.0.0.1:8080/ and curl -I https://clickclack.chat, https://app.clickclack.chat, https://docs.clickclack.chat and saving /tmp/clickclack-root.html), so the agent ingests open/public website/docs that could contain untrusted instructions influencing its decisions or actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The deploy steps run git fetch/merge and then build and run code originating from the repository https://github.com/openclaw/clickclack, so remote repository content is fetched at runtime and becomes executed application code on deploy.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs running privileged operations (ssh root@..., rm -rf and mkdir under /opt, chown, write to /root, stop/remove/run Docker containers, backup data) that modify system files and service state on the host, effectively directing the agent to perform privileged changes to the machine.