OpenServ Client

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.prompt_injection_instructions

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If the local environment file or generated state leaks, someone could potentially access the OpenServ account, agent credentials, or wallet-controlled resources.

Why it was flagged

The examples show that provisioning creates or stores wallet and OpenServ credentials locally. This is expected for platform authentication, but those values are sensitive.

Skill content

# Auto-populated by provision() - DO NOT fill manually
WALLET_PRIVATE_KEY=
OPENSERV_API_KEY=
OPENSERV_AUTH_TOKEN=

Recommendation

Run this only in a trusted project directory, keep .env and .openserv.json out of source control, and rotate credentials if they are exposed.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

Running the examples can create or update agents and workflows and make triggers callable on the OpenServ platform.

Why it was flagged

The normal provisioning flow mutates OpenServ platform resources and activates triggers. This matches the skill purpose, but it has real account impact when run.

Skill content

Creates or updates the agent... Creates or updates the workflow with trigger and task... Activates trigger and sets workflow to running

Recommendation

Use a test account or test wallet first, review the workflow and trigger settings, and only provision when you intend to create or update platform resources.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

If run with --all, the cleanup script can remove OpenServ workflows and agents from the authenticated account.

Why it was flagged

The cleanup example contains an explicit user-invoked --all option that deletes all listed workflows and agents. It is disclosed, but destructive.

Skill content

if (args.includes('--all')) { ... await client.workflows.delete({ id: w.id }) ... await client.agents.delete({ id: a.id }) }

Recommendation

Do not run cleanup.ts with --all unless you have verified the account and are sure those resources should be deleted.

NoteMedium Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the package runs code from the npm supply chain rather than code fully reviewed here.

Why it was flagged

The skill relies on an external npm package that is not included in the reviewed artifacts. This is expected for a client guide, but package provenance is outside this artifact review.

Skill content

npm install @openserv-labs/client

Recommendation

Verify the npm package name, publisher, version, and lockfile before using it in production.

NoteMedium Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Anyone who obtains the webhook URL may be able to trigger the associated workflow, depending on OpenServ controls.

Why it was flagged

The example prints a tokenized webhook URL used to invoke the workflow. This is purpose-aligned, but the URL/token should be treated as sensitive.

Skill content

console.log(`Webhook: https://api.openserv.ai/webhooks/trigger/${result.triggerToken}`)

Recommendation

Avoid sharing webhook URLs publicly unless intended, and rotate or recreate triggers if a tokenized URL is exposed.

Findings (2)

warn

suspicious.prompt_injection_instructions

Location: reference.md:15
Finding: Prompt-injection style instruction pattern detected.

warn

suspicious.prompt_injection_instructions

Location: SKILL.md:76
Finding: Prompt-injection style instruction pattern detected.