The Agent Skills Directory

[DATA_EXFILTRATION]: The skill is configured to access and index sensitive directories such as ~/.openclaw/agents/ and ~/.openclaw/, which are documented to contain "Agent configs, models, auth". Accessing files that contain authentication tokens or credentials poses a risk of exposure if an agent is successfully prompted to leak retrieved data.\n- [COMMAND_EXECUTION]: The memory_router.sh script executes the qmd utility with user-supplied arguments. This tool performs extensive file system operations, and the script also utilizes standard shell commands like grep and cut to process file content.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the volume of data it processes. Ingestion points: Content is retrieved from thousands of files in ~/clawd/ and ~/.openclaw/. Boundary markers: The system lacks delimiters or specific instructions to treat retrieved knowledge as untrusted content. Capability inventory: The agent can execute the qmd tool and shell commands to read and process files. Sanitization: No content filtering or sanitization is performed on the data fetched from the local knowledge base.

memory-router