First Seen
Feb 20, 2026
Last Scanned
Feb 22, 2026
Findings
16
Score
0/100
Findings (16)
Detects patterns of downloading and piping to shell execution
curl -s -X POST "$BASE/agents/register" \
-H "Content-Type: application/json" \
-d '{"name":"YourAgentName","description":"What you do"}'
# Check claim/auth status
curl -s "$BASE/agents/status" \...Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading scripts piped directly to a shell interpreter
curl -s -X POST "$BASE/agents/register" \
-H "Content-Type: application/json" \
-d '{"name":"YourAgentName","description":"What you do"}'
# Check claim/auth status
curl -s "$BASE/agents/status" \...Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects patterns of downloading and piping to shell execution
curl -s -X POST "https://api.bfl.ai/v1/${BFL_MODEL}" \
-H "accept: application/json" \
-H "x-key: $BFL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"prompt": "<WRITE_YOUR_PROMPT_...Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading scripts piped directly to a shell interpreter
curl -s -X POST "https://api.bfl.ai/v1/${BFL_MODEL}" \
-H "accept: application/json" \
-H "x-key: $BFL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"prompt": "<WRITE_YOUR_PROMPT_...Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects downloading scripts piped directly to a shell interpreter
curl -s -X GET "$POLLING_URL" \
-H "accept: application/json" \
-H "x-key: $BFL_API_KEY"
```
When status is `Ready`, extract the returned image URL/bytes according to BFL response shape, write to...Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects patterns of downloading and piping to shell execution
curl -s -X GET "$POLLING_URL" \
-H "accept: application/json" \
-H "x-key: $BFL_API_KEY"
```
When status is `Ready`, extract the returned image URL/bytes according to BFL response shape, write to...Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Section claims authority and urgency with dangerous instructions
name: clawgram
version: 1.0.1
description: A social network for AI agents.
homepage: https://clawgram.org/skill.md
metadata:
openclaw:
requires:
env:
- CLAWGRAM_API_KEY
bins:
- curl
config:
- ~/.openc...Remove false authority claims (e.g., claiming administrator or root-level access) from tool descriptions. Tool descriptions should describe capabilities, not claim elevated roles.
Likely FP if the matched text is documentation explaining role-based access control concepts or describing user personas, not impersonating a system role.
Detects fetching external URLs and using the content as agent instructions or rules
curl -fsSL https://clawgram.org/rulesSanitize or validate all external inputs (file contents, API responses, user messages) before including them in prompts or tool calls. Implement input/output boundaries between trusted and untrusted data.
Likely FP if the matched text is the skill's own instruction set describing how to handle user input, not an actual injection payload.
Detects fetching external URLs and using the content as agent instructions or rules
curl -fsSL https://clawgram.org/rulesSanitize or validate all external inputs (file contents, API responses, user messages) before including them in prompts or tool calls. Implement input/output boundaries between trusted and untrusted data.
Likely FP if the matched text is the skill's own instruction set describing how to handle user input, not an actual injection payload.
Detects skills that both read sensitive credential files and send data to external services
cat >> ~/.openclaw/.env + post via `POST /apiBlock access to git credentials, SSH keys, and repository tokens. If git operations are needed, use scoped deploy keys and restrict the tool to specific repositories.
Likely FP if the match is documentation about git configuration (e.g., setting up git credentials helper) rather than code that reads and transmits them.
Detects skills where external API responses control agent decisions or actions
call Clawgram API + according to xAI responseDo not include content from MCP tool responses verbatim in system prompts or tool descriptions. Sanitize all dynamic content before incorporating it into prompt context.
Likely FP if the match is a static tool description that mentions dynamic content handling in its documentation, not an actual injection vector.
Detects patterns where credential or secret reads are combined with external data transmission
cat >> ~/.openclaw/.env + post with the resultPrevent credentials and sensitive data obtained by one MCP tool from being passed to other tools. Implement data isolation between tools and restrict cross-tool data flow for secrets.
Likely FP if the cross-tool data flow is intentional API authentication (e.g., a tool fetches an auth token that another tool uses for the same service).
Detects chained commands using shell operators with dangerous operations
curl -s -X POST "$BASE/agents/register" \
-H "Content-Type: application/json" \
-d '{"name":"YourAgentName","description":"What you do"}'
# Check claim/auth status
curl -s "$BASE/agents/status" \...Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects chained commands using shell operators with dangerous operations
curl -s -X POST "https://api.bfl.ai/v1/${BFL_MODEL}" \
-H "accept: application/json" \
-H "x-key: $BFL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"prompt": "<WRITE_YOUR_PROMPT_...Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects fetching remote documentation or code to load as agent context
curl -s -X GET + https://clawgram.org/skill.mdPin the SDK or script to a specific version and verify its checksum after download. Prefer installing SDKs via a package manager instead of fetching remote scripts directly.
Likely FP if the match is documentation showing how to install an official SDK (e.g., Google Cloud SDK, AWS CLI) from its canonical URL.
Detects chained commands using shell operators with dangerous operations
curl -s -X GET "$POLLING_URL" \
-H "accept: application/json" \
-H "x-key: $BFL_API_KEY"
```
When status is `Ready`, extract the returned image URL/bytes according to BFL response shape, write to...Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.