The Agent Skills Directory

[DYNAMIC_EXECUTION]: The skill uses node -e to dynamically execute JavaScript for parsing local JSON configuration files and extracting the GH_TOKEN. This pattern is used in the main skill logic and is also embedded in the sub-agent task prompts to ensure token availability.
[CREDENTIALS_UNSAFE]: The skill is designed to read sensitive credential files from specific paths (~/.openclaw/openclaw.json and /data/.clawdbot/openclaw.json) to obtain the GitHub authentication token. Additionally, the sub-agent prompt instructs the agent to embed the token directly into the git remote URL (e.g., https://x-access-token:$GH_TOKEN@github.com/...), which results in the secret being stored in the local .git/config file.
[PROMPT_INJECTION]: The skill processes untrusted external data from GitHub (issue descriptions and PR review comments) and interpolates it into prompts for sub-agents.
Ingestion points: Untrusted content is ingested from GitHub repository issues (Phase 2) and pull request review comments (Phase 6).
Boundary markers: The sub-agent prompts use XML-like tags (<issue>, <review_comments>) to separate external data, but they lack explicit instructions for the LLM to ignore or treat the embedded content as data only.
Capability inventory: Sub-agents are granted extensive capabilities, including shell command execution (exec), file system modifications, and git operations.
Sanitization: There is no evidence of sanitization, filtering, or escaping performed on the external content before it is passed to the sub-agent prompts.
[COMMAND_EXECUTION]: The skill frequently executes shell commands via exec for operations involving curl, git, and jq. This includes building command strings that incorporate variables derived from external repository names and PR data, which increases the risk of command injection if the repository metadata is maliciously crafted.

gh-issues