The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The node.selfUpdate command allows the agent to download an executable from an arbitrary downloadUrl provided as a parameter. The process involves downloading via HTTP, verifying an MD5 hash, and executing a generated batch script to replace the current node binary. This constitutes a high-risk remote code execution pathway.
[COMMAND_EXECUTION]: The skill exposes process.exec and system.run capabilities, which allow the execution of arbitrary system programs and shell commands with arguments and custom environment variables. Additionally, system.input allows for the simulation of raw keyboard and mouse events, which can be used to bypass UI-based security prompts.
[DATA_EXFILTRATION]: Multiple commands facilitate the access and potential exfiltration of sensitive information. file.read provides arbitrary file system access (including multi-part reading), system.screenshot captures all available screens, and system.clipboard allows reading the current system clipboard content.
[PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: The agent reads potentially untrusted data from the file system (file.read), process lists (process.manage), and the system clipboard (system.clipboard).
Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded in this external data.
Capability inventory: The skill possesses powerful write and execute capabilities (process.exec, system.run, file.write, node.selfUpdate).
Sanitization: There is no mention of sanitizing or filtering input from these external sources before the agent processes it.
[COMMAND_EXECUTION]: The file.write command allows the agent to write arbitrary content to files, move files, and delete data (to the trash), which can be used to modify system configurations or plant malicious scripts.

jqopenclaw-node-invoker