The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute a variety of build, test, and release commands using pnpm, npm, and git. It also runs custom project scripts, such as scripts/openclaw-npm-postpublish-verify.ts, to validate the integrity of published packages.
[CREDENTIALS_UNSAFE]: The instructions require the agent to load sensitive environment variables by sourcing the user's shell profile (~/.profile) and interacting with the 1Password CLI (op://Private/Npmjs). These credentials are used for legitimate authentication with the npm registry and CI/CD environments.
[DATA_EXFILTRATION]: Once a release is successful, the skill is authorized to send automated announcements containing release details to external platforms including Discord and X (Twitter) using the maintainer's bot tokens.
[PROMPT_INJECTION]: The skill processes external data such as git commit messages and CHANGELOG.md files to generate release documentation. This constitutes an indirect prompt injection surface where malicious content in the repository's history could theoretically be used to influence the agent's behavior during the release process.

openclaw-release-maintainer