The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/plan.sh is vulnerable to local command injection. The functions cmd_plan and cmd_reflect use unquoted here-documents (cat << EOF) to write user input to markdown files.
[COMMAND_EXECUTION]: Evidence: Shell variables such as $ONE_THING and $WINS are interpolated into the here-document block. Because the EOF delimiter is unquoted, the shell performs command substitution on the content. A user or agent providing input like $(id) or `whoami` will trigger execution of those commands.
[COMMAND_EXECUTION]: Indirect Prompt Injection vulnerability surface.
[COMMAND_EXECUTION]: Ingestion points: scripts/plan.sh via interactive read prompts.
[COMMAND_EXECUTION]: Boundary markers: None present in the script or generated files to delimit untrusted input.
[COMMAND_EXECUTION]: Capability inventory: The script has the capability to create and modify files in the user's home directory (~/.openclaw/).
[COMMAND_EXECUTION]: Sanitization: The script lacks sanitization for shell metacharacters in here-documents, failing to use quoted delimiters (e.g., << 'EOF') which would prevent command substitution.

adhd-founder-planner