The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes task instructions, stages, and 'next_action' fields from a persistent local state file (~/.openclaw/skill-state/long-running-task-management/state.yaml). If this file is modified by an external process or attacker, the agent may execute unintended actions during its periodic cron-based wakeups or when resuming a task. * Ingestion points: The state file ~/.openclaw/skill-state/long-running-task-management/state.yaml is read in the 'Resume After Interruption' and 'Cron Wakeup Behavior' sections of SKILL.md. * Boundary markers: Absent; there are no instructions provided to the agent to treat content in the state file as untrusted or to ignore embedded commands. * Capability inventory: The skill instructions imply the agent will perform file modifications, run tests/verification, and commit to git based on the state file's contents. * Sanitization: Absent; the skill does not specify any validation or sanitization of the state file content before it is used to guide the agent's next steps.

long-running-task-management