openclaw-qa-testing
Fail
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: Detailed mapping of sensitive infrastructure credentials in secret management tools.
- The skill provides specific paths to production-grade secrets within 1Password, including vault names like 'OpenClaw' and 'Private', and item names such as 'Telegram E2E', 'OPENCLAW_QA_CONVEX_SECRET_MAINTAINER', and 'OPENCLAW_QA_CONVEX_SECRET_CI'.
- It instructs the agent to search for and use specific environment variables (e.g., 'OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN') that handle sensitive service authentication.
- [COMMAND_EXECUTION]: Execution of shell commands involving sensitive environment variables.
- The instructions include multiple examples of running 'pnpm' and 'gh' commands that interpolate secret tokens directly into the shell environment (e.g., 'OPENCLAW_LIVE_OPENAI_KEY="${OPENAI_API_KEY}"').
- It encourages the use of the 1Password CLI ('op') to retrieve and verify credentials, providing the agent with a path to access secrets outside of the immediate repo environment.
- [PROMPT_INJECTION]: Significant indirect prompt injection surface through scenario processing.
- Ingestion points: The skill's primary workflow involves reading scenario definitions and documentation from 'qa/scenarios/*.md' and 'docs/', which may be attacker-controlled in a multi-user or PR-based environment.
- Boundary markers: The instructions lack explicit delimiters or 'ignore-previous-instructions' warnings when processing these external markdown files.
- Capability inventory: The agent has high-privilege access to shell execution, credential management tools, and GitHub CLI operations.
- Sanitization: No sanitization or validation logic is specified for the content of scenario files before they are used to drive the testing logic or command parameters.
Recommendations
- AI detected serious security threats
Audit Metadata