Skills
skills/steipete/agent-scripts/openclaw-relay/Gen Agent Trust Hub

openclaw-relay

Pass

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/openclaw_relay.py utilizes subprocess.run to execute local commands such as node and pnpm. This is the primary method for interacting with the local OpenClaw and ACPX environments.
  • [REMOTE_CODE_EXECUTION]: The skill implements a remote transport feature using ssh to execute commands on a remote host (defaulting to mac-studio). This capability is documented as a way to reach OpenClaw agents on different machines.
  • [CREDENTIALS_UNSAFE]: The skill is configured to access a sensitive authentication token at ~/.openclaw/gateway.token. This token is required by the underlying OpenClaw system to authorize the relay operations.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it relays user-provided text to external sessions.
  • Ingestion points: Untrusted data enters the agent context via the --message and --text arguments in scripts/openclaw_relay.py.
  • Boundary markers: The skill uses basic JSON formatting for results but lacks explicit instructions to downstream sessions to ignore embedded commands within the relayed text.
  • Capability inventory: The skill can execute shell commands locally and remotely via subprocess.run across all relay functions.
  • Sanitization: User input is sanitized using shlex.quote() before being interpolated into shell commands, which effectively prevents direct command injection on the host running the script.
Audit Metadata
Risk Level
SAFE
Analyzed
May 10, 2026, 04:11 PM