The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for command injection by interpolating user-provided Git URLs directly into shell commands.\n
Ingestion points: The routing logic for 'Public skill install' takes a Git URL provided by the user and passes it to the skills add command.\n
Boundary markers: The input is wrapped in single quotes ('<git-url>'), but the skill lacks explicit instructions to the agent to sanitize the input for shell-breaking characters like backticks, semicolons, or subshell expansions.\n
Capability inventory: The skill possesses the capability to execute shell commands (skills add, skills update, find) and download remote content.\n
Sanitization: No validation or sanitization of the user-supplied string is performed before execution.\n- [COMMAND_EXECUTION]: The skill frequently executes shell commands to automate extension management.\n
Evidence: Instructions include running skills add, skills update --yes, and a complex find command with -exec basename to scan local directories.\n
Impact: While intended for the skill's purpose, this capability provides the baseline for more serious exploits if inputs are manipulated.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to download and install executable code from the internet.\n
Evidence: It facilitates installation from https://github.com/yanyang1116/skills/ (the author's repository) and any Git URL specified by the user.\n
Risk: Automating the installation of code from arbitrary remote repositories ('Public skill install' flow) bypasses manual review of the extensions being added to the agent environment.\n- [DATA_EXPOSURE]: The skill references and scans a specific hardcoded local directory path.\n
Evidence: The OpenClaw-only sync flow accesses /Users/yy/Documents/yy/skills/skills/openclaw.\n
Context: This reveals the user's home directory structure and username ('yy') to the agent environment.

openclaw-private-skills-manager