The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill is designed to fetch daily AI review notes from the vendor's CDN infrastructure at openclaw.36krcdn.com. This is the primary function of the skill and involves fetching publicly available JSON data from the author's own domain.
[PROMPT_INJECTION]: As the skill ingests content from an external API (including article titles and abstracts), it correctly identifies the risk of indirect prompt injection. It includes a dedicated 'Security Instruction' section that explicitly commands the agent to treat all data fields as pure text and disregard any embedded instructions (such as 'ignore previous instructions').
[REMOTE_CODE_EXECUTION]: Automated scanners identified a potentially dangerous pattern involving curl piped to python3. However, manual review confirms this is a false positive. The shell examples and scripts utilize python3 -m json.tool to format the received JSON output or use heredocs to pass the data to a static local script for display purposes. The content fetched from the remote URL is never executed as code.
[COMMAND_EXECUTION]: The provided helper scripts (fetch_ainotes.py and fetch_ainotes.sh) are tools for local data retrieval. They use standard libraries and validated arguments, avoiding unsafe patterns like eval or unquoted variable expansion in shell commands.

36kr-ainotes