The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/sync-agent-auth.sh utilizes python3 -c to run Python code snippets built by directly interpolating shell variables like $TARGET_PROVIDER and $new_key. This creates a code injection vulnerability where a maliciously crafted provider name or API key containing single quotes could execute arbitrary Python code with the user's local permissions.
[CREDENTIALS_UNSAFE]: This skill manages sensitive, plaintext API keys within the ~/.openclaw directory. While necessary for the skill's utility, the lack of secure storage (e.g., encryption or a keyring) combined with the command execution vulnerability in the sync script creates a high-risk surface for credential theft or modification.

api-provider-setup