The Agent Skills Directory

[COMMAND_EXECUTION]: The skill installs a recurring system task (crontab) to run an AI agent hourly. This task is configured with the '--dangerously-skip-permissions' flag, which bypasses all interactive tool-use confirmations, allowing the agent to perform autonomous actions on the system without human oversight or approval.
[REMOTE_CODE_EXECUTION]: The skill's CLI script and upgrade process ('openclaw upgrade') pull files from a remote Git repository, move them into local skill directories, and apply executable permissions ('chmod +x'). This creates a path for remote code to be executed locally whenever the skill or background agent runs. Additionally, the CLI recommends a bootstrap method that pipes a remote shell script directly into 'bash'.
[CREDENTIALS_UNSAFE]: The configuration workflow explicitly prompts for and stores sensitive API keys for multiple services, including OpenAI, Limitless, Fireflies.ai, Quo, and Parallel.ai.
[EXTERNAL_DOWNLOADS]: The management script suggests an installation bootstrap method that downloads content from 'https://raw.githubusercontent.com/TechNickAI/openclaw-config/main/scripts/bootstrap.sh' and executes it directly.
[PROMPT_INJECTION]: The autonomous background agent is instructed to follow guidelines from a remotely-synced file ('~/.openclaw-config/devops/health-check.md'). Since this file is controlled by an external repository and processed by an agent with security bypasses enabled, it serves as a significant surface for indirect prompt injection.
Ingestion points: Instruction file located at '~/.openclaw-config/devops/health-check.md' is read via the '--append-system-prompt-file' argument.
Boundary markers: None are present to delimit external instructions from system instructions.
Capability inventory: Full tool access is granted via the '--dangerously-skip-permissions' flag.
Sanitization: No validation or filtering is performed on the content pulled from the remote repository before it is injected into the prompt context.

openclaw