The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructs the agent to access and utilize sensitive local file paths related to SSH credentials, specifically the identity file at ~/.ssh/id_ed25519 and the public key at ~/.ssh/id_ed25519.pub.
[COMMAND_EXECUTION]: The skill provides instructions for executing high-privilege commands that can modify system security posture and user rights. Evidence includes the use of sudo for configuration changes and user management commands such as usermod (Linux) and dseditgroup (macOS) to grant administrative access. It also includes instructions for persistent access by appending keys to ~/.ssh/authorized_keys.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted external inventory data. Ingestion points: Reads shared device records from /home/aa/.openclaw/shared/tailnet/devices/*.md and inventory from /home/aa/.openclaw/shared/tailnet/README.md. Boundary markers: Absent; there are no delimiters or specific instructions to the agent to disregard instructions embedded within these files. Capability inventory: Extensive capabilities including remote shell execution (ssh), privilege escalation (sudo, usermod), and file system modification. Sanitization: Absent; the skill does not define any validation or filtering for the content retrieved from the device records.

tailscale-operator