openclaw-parallels-smoke

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly fetches and installs packages from the public npm registry and served .tgz URLs (e.g., "npm view openclaw@beta ... dist.tarball" and "serve the .tgz over the harness HTTP server") and optionally performs a Discord roundtrip (reading/sending messages in a public channel), all of which are untrusted/user-generated sources that the agent is instructed to read/verify and that can materially alter behavior (updates, dashboard HTML, or messages).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs serving and fetching a runtime package tarball (http://:/openclaw-.tgz) that the guest downloads as the update target — a remote artifact that will be installed/executed during the smoke run and is required for the update verification.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running privileged operations (writing guest scripts as root, using sudo/prlctl exec, global npm installs, snapshot/snapshot-switch and service/gateway restarts) that modify system and VM state and therefore can compromise the machine.