The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill references a URL (https://blog.xi-xu.me/en/2026/03/13/Run-OpenClaw-Securely-On-Debian-Cloud-Server.html) that has been flagged as malicious by automated security scanners. While the domain belongs to the skill's author, the blacklist status represents a verified security risk.
[EXTERNAL_DOWNLOADS]: The skill requires downloading software and scripts from a third-party GitHub repository (https://github.com/openclaw/openclaw.git) that is not part of a verified or trusted organization.
[REMOTE_CODE_EXECUTION]: The workflow directs users to execute local scripts (e.g., setup-podman.sh) with elevated privileges (sudo) immediately after they are cloned from the external repository. This pattern allows for arbitrary code execution on the host system if the repository content is compromised.
[COMMAND_EXECUTION]: The skill requests extensive use of sudo to perform high-risk system modifications, including overwriting SSH configurations (/etc/ssh/sshd_config), modifying firewall rules (/etc/nftables.conf), and enabling system services.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its interaction with external messaging platforms.
Ingestion points: The skill processes data from external messaging channels (Telegram, Signal) during the 'pairing' and messaging workflow described in references/REFERENCE.md.
Boundary markers: Absent. There are no instructions to delimit or ignore instructions that may be embedded in the incoming messages.
Capability inventory: The agent is granted extensive capabilities, including shell execution, sudo access, and file system modifications.
Sanitization: Absent. No validation or sanitization of the external messaging data is performed before the agent processes it.

openclaw-secure-linux-cloud