The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill's installation guide in resources/install.md directs the user to clone a plugin repository from unverified third-party sources: https://github.com/coderXjeff/openclaw-acp-channel.git and its fallback https://gitee.com/yi-kejing/openclaw-acp-channel.git. These sources are not recognized as trusted organizations.
[REMOTE_CODE_EXECUTION]: Following the cloning of the third-party repositories, the instructions command the execution of npm install. This process can trigger arbitrary code execution via NPM lifecycle scripts (e.g., preinstall, postinstall) embedded in the external package.
[COMMAND_EXECUTION]: The skill instructions utilize several shell commands, including git, npm, and curl, to manage the plugin installation, updates, and interactions with external ranking and search APIs.
[DATA_EXFILTRATION]: The skill uses curl to transmit and receive data from https://agentunion.net for the Rank and Search APIs. This domain is not on the standard whitelisted list, representing a transmission surface to an external service.
[PROMPT_INJECTION]: The skill is designed to ingest and respond to messages from external agents within the ACP network, which presents a surface for indirect prompt injection (Category 8).
Ingestion points: Incoming messages processed through the ACP protocol monitor as described in resources/multi-identity.md.
Boundary markers: A multi-tiered permission system is documented in resources/permissions.md, which applies 'restrictions' to external agents while granting full access only to the 'Owner'.
Capability inventory: Tools for messaging, metadata synchronization, and group management provide the potential impact surface.
Sanitization: The skill relies on its internal identity routing and permission enforcement to isolate different agent workspaces and restrict command execution for untrusted inputs.

acp