coding-agent
Fail
Audited by Snyk on May 18, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill deliberately instructs operators to bypass agent sandboxes and permission checks (e.g., --permission-mode bypassPermissions, --yolo, --full-auto, an "elevated" host option), mandates injecting direct outbound notification routes into worker prompts and requires workers to call openclaw message send, and encourages background execution and autonomous commit/push — together these patterns enable easy data exfiltration, remote code execution, and supply-chain or backdoor abuse, so the content is high-risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's "Reviewing PRs" and "Batch PR Reviews" instructions explicitly fetch and operate on arbitrary public GitHub repositories/PR refs (e.g., "git clone https://github.com/user/repo.git" and "git fetch origin '+refs/pull//head:refs/remotes/origin/pr/'"), so the agent will ingest untrusted, user-generated third‑party code/pages and act on them, enabling indirect prompt injection.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs using sandbox-bypassing flags (--permission-mode bypassPermissions, --yolo/no-sandbox, and an "elevated" host option) and runs background agents on the host, which encourages bypassing security controls and enabling arbitrary host-state modifications.
Issues (3)
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata