The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill explicitly instructs the agent to download and execute a shell script from a remote URL by piping it directly into bash.
Evidence: curl -fsSL https://openclaw.ai/install.sh | bash found in installation and update workflows in SKILL.md.
[COMMAND_EXECUTION]: The skill provides instructions for a wide range of high-privilege system commands across macOS, Linux, and Docker environments, including service management and firewall configuration.
Evidence: Use of launchctl, systemctl, ufw, socketfilterfw, and docker compose throughout SKILL.md.
[DATA_EXFILTRATION]: The skill attempts to access sensitive cloud instance metadata, which can contain identity tokens or environment configurations.
Evidence: curl -s -m 2 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" in the OCI detection phase of SKILL.md.
[CREDENTIALS_UNSAFE]: The skill performs operations on directories containing sensitive API keys and authentication tokens, including unencrypted backups.
Evidence: Commands to copy ~/.openclaw/credentials/ to ~/.openclaw/credentials.bak/ in the update workflow of SKILL.md.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from multiple sources while possessing high-privilege execution capabilities.
Ingestion points: Reads Oracle Cloud metadata (curl), Docker container logs (docker compose logs), and process environments (/proc/1/environ) in SKILL.md.
Boundary markers: No delimiters or instructions to ignore embedded commands are present when processing these inputs.
Capability inventory: High-privilege capabilities including curl | bash execution, npm install, and service management (systemctl, launchctl) are available across the skill.
Sanitization: No sanitization or validation of the ingested external data is performed before it enters the agent's context.

skill-claw