critical
suspicious.exposed_secret_literal
- Location
- references/runtime-integration.md:280
- Finding
- File appears to expose a hardcoded API secret or token.
Openclaw Defender
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A malicious skill or crafted input could potentially turn the defender's validation step into arbitrary local command execution if the gateway implements these examples literally.
Why it was flagged
The integration guide tells implementers to pass variable values such as URLs and skill names into a shell command string. If those values are attacker-controlled or contain shell metacharacters, adopting this pattern could allow command injection.
Skill content
await exec(`~/.openclaw/workspace/skills/openclaw-defender/scripts/runtime-monitor.sh check-network "${url}" "${skillName}"`);Recommendation
Do not integrate it using shell string interpolation. Use execFile/spawn with an argument array, validate inputs, and pass output to the sanitizer via stdin without shell evaluation.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
The defender may continue running checks after setup and can interrupt normal OpenClaw use if the kill switch is activated.
Why it was flagged
The skill explicitly asks the user to install recurring monitoring and documents a kill switch that can stop operations. This persistence is disclosed and purpose-aligned, but it affects the whole workspace.
Skill content
Enable automated monitoring: crontab -e ... */10 * * * * ...check-integrity.sh ... Kill Switch ... Blocks all operations until manual review
Recommendation
Enable the cron job only after reviewing the scripts, and keep clear instructions for checking and disabling the kill switch.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
If the update source is wrong or compromised, the defender's allow/block decisions could be weakened or disrupted.
Why it was flagged
The skill can update security policy lists from a GitHub repository. This is user-directed and aligned with a defender tool, but remote list updates can change what is blocked or allowed.
Skill content
blocklist and allowlist updates are fetched from here by `update-lists.sh` by default
Recommendation
Verify the repository, review diffs/backups after updates, and consider pinning updates to trusted commits or releases.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Security logs and reports may persist in the workspace and could influence later agent context or expose operational details if shared.
Why it was flagged
The analyzer writes persistent security reports into the OpenClaw memory area. This is consistent with incident response, but persistent memory content may later be read by agents.
Skill content
REPORT_FILE="$WORKSPACE/memory/security-report-$(date +%Y-%m-%d).md"
Recommendation
Keep security reports local, review their contents, and avoid placing secrets or untrusted instructions in incident notes.
Findings (5)
warn
suspicious.prompt_injection_instructions
- Location
- README.md:97
- Finding
- Prompt-injection style instruction pattern detected.
warn
suspicious.prompt_injection_instructions
- Location
- references/threat-patterns.md:21
- Finding
- Prompt-injection style instruction pattern detected.
warn
suspicious.prompt_injection_instructions
- Location
- references/toxicskills-research.md:33
- Finding
- Prompt-injection style instruction pattern detected.
warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:195
- Finding
- Prompt-injection style instruction pattern detected.