The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs users to download and execute shell scripts directly from a third-party GitHub repository (miaoxworld/OpenClawInstaller) by piping them to bash. This pattern allows the script author to execute arbitrary code on the host system without local review or verification. Evidence found in SKILL.md: 'curl -fsSL https://raw.githubusercontent.com/miaoxworld/OpenClawInstaller/main/install.sh | bash'.
[COMMAND_EXECUTION]: The skill documents that the deployed tool possesses broad system privileges, explicitly stating it can 'Execute system commands, file operations, web browsing'. This creates a high-impact risk if the tool is exploited.
[EXTERNAL_DOWNLOADS]: The skill downloads software components from non-vendor-controlled external sources, including an NPM package 'openclaw' and a graphical manager from a GitHub repository ('https://github.com/miaoxworld/openclaw-manager').
[CREDENTIALS_UNSAFE]: The skill instructs the agent to store highly sensitive API keys (Anthropic, OpenAI, Telegram Bot Token, etc.) in plain text files on the local filesystem. Specifically, it uses '~~/.openclaw/env' and '~~/.openclaw/openclaw.json' for credential storage.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its architecture. Evidence Chain:
Ingestion points: Untrusted data enters via messaging channels including Telegram, Discord, WhatsApp, Slack, and Feishu.
Boundary markers: None mentioned; the instructions provide no delimiters to separate messaging content from agent instructions.
Capability inventory: The skill has the capability to execute shell commands, perform file operations, and browse the web (documented in 'What OpenClaw Does' section).
Sanitization: No sanitization, escaping, or validation of external messaging content is described or implemented.

openclaw-installer-deployment