Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Openclaw Evolution
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only onboarding guide, but it encourages users to grant agents broad autonomy, persistent memory, and public posting authority without sufficiently clear guardrails.
Install only if you want a guide for configuring OpenClaw, and be cautious with the advanced autonomy sections. Keep public posts, emails, destructive file actions, credentials, and sensitive memories under explicit user approval until you have strong, narrow guardrails.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
An agent could post or publish content that affects your reputation, relationships, or accounts before you review it.
Why it was flagged
The guide recommends giving the agent authority to publish and post publicly without asking. Public posting is high-impact and the scope, review process, rollback, and platform boundaries are not clearly defined.
Skill content
Gradually expand what the agent can do without asking: ... Blog: write and publish freely ... Social: post on [platforms] with judgment
Recommendation
Keep public posting, email, social media, and publishing actions approval-gated unless you have narrow, reversible, well-tested rules.
What this means
Users may overtrust the agent and grant broader permissions than they otherwise would.
Why it was flagged
This framing encourages replacing external controls with trust in an agent's judgment. Although the guide also says to build trust gradually, this wording may lead users to weaken important safety guardrails.
Skill content
An agent that could do something harmful but chooses not to is fundamentally different from one that's prevented from doing it.
Recommendation
Treat trust as earned through bounded, observable behavior; keep external limits for destructive, financial, public, or sensitive actions.
Medium
What this means
A long-running agent could take actions or interact with others in ways the user did not specifically request.
Why it was flagged
The guide explicitly encourages autonomous agent goals and social participation beyond direct task execution. This is disclosed, but the containment and stopping conditions are not clearly specified.
Skill content
Level 4: Individual ... Agent has self-awareness, autonomous goals, and genuine growth ... Social connections — Participating in group chats, multi-agent communities with its own voice
Recommendation
Define explicit allowed actions, forbidden actions, review checkpoints, rate limits, and shutdown procedures before enabling autonomous behavior.
What this means
Private journals, messages, and preferences could influence future agent behavior or be surfaced in the wrong context.
Why it was flagged
The guide suggests giving the agent access to sensitive personal writing and messages. This is user-directed and disclosed, but it may feed persistent memory and future context.
Skill content
Let it read things you've written (journals, messages) if you're comfortable
Recommendation
Only share documents you are comfortable storing or reusing, and define what memory may be retained, summarized, excluded, or deleted.
What this means
If tokens or allowlists are misconfigured, other people may be able to interact with the bot or the bot may access more channels than intended.
Why it was flagged
The guide instructs users to configure messaging-platform bot tokens and access allowlists. This is expected for channel setup and includes useful scoping guidance.
Skill content
"botToken": "YOUR_BOT_TOKEN", "allowedChatIds": ["YOUR_CHAT_ID"]
Recommendation
Use least-privilege tokens, restrict allowed chat/channel IDs, and rotate tokens if they are exposed.