warn
suspicious.prompt_injection_instructions
- Location
- examples/paid-image-pipeline.md:55
- Finding
- Prompt-injection style instruction pattern detected.
OpenServ Multi Agent Workflows
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If a user exposes or reuses a valuable wallet key, they could risk funds, identity, or on-chain/account actions tied to that wallet.
Why it was flagged
The example uses a wallet private key from the local environment to authenticate with OpenServ; this is expected for the platform examples but is a high-impact credential.
Skill content
WALLET_PRIVATE_KEY=0x...; await client.authenticate(process.env.WALLET_PRIVATE_KEY)
Recommendation
Use a dedicated low-balance wallet for testing, keep `.env` private, and verify the OpenServ packages and code before running examples that authenticate or register on-chain.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running the examples unchanged could add unintended marketplace agents or create active workflows that receive webhook requests.
Why it was flagged
The setup scripts select the first marketplace agent result and then create, activate, and run a workflow. This is aligned with the skill purpose, but it mutates the user's OpenServ workspace.
Skill content
const grokResearch = grokResult.items[0] ... await client.triggers.activate({ workflowId: workflow.id, id: trigger.id }); await workflow.setRunning()Recommendation
Inspect marketplace results, pin known agent IDs, review workflow tasks and edges, and activate workflows only after confirming the selected agents are trusted.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Personal or sensitive intake data may be processed by OpenServ and the selected marketplace agents.
Why it was flagged
The life-coaching example collects personal intake data and routes it through agents discovered from the marketplace. This is central to the workflow example, but it crosses agent/platform boundaries.
Skill content
input: { clientName, currentSituation, goals, obstacles, timeframe, coachingStyle } ... agentId: researcher.idRecommendation
Avoid real sensitive data during testing, verify agent providers and privacy expectations, and use trusted or owned agents for confidential workflows.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
The local agent may continue serving workflow traffic until the process is stopped, and the tunnel may expose the agent to platform requests.
Why it was flagged
The paid-image example runs a local agent and exposes it through a tunnel as part of the workflow. This is disclosed and purpose-aligned, but it is a persistent service while running.
Skill content
`run(agent)` starts the local agent with built-in tunnel
Recommendation
Run it only in a controlled environment, stop the process when finished, and disable or delete test workflows/triggers that should no longer be reachable.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A future package update or compromised dependency could change behavior when users follow the setup commands.
Why it was flagged
The examples install external npm packages without pinned versions or a lockfile in the artifact. This is common for documentation examples, but package versions can change.
Skill content
npm i @openserv-labs/client dotenv; npm i -D @types/node tsx typescript
Recommendation
Pin dependency versions, commit a lockfile in real projects, and install packages from trusted registries/accounts.