The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): Multiple scripts, including scripts/send_status.py, scripts/send_status_websocket.py, and scripts/send_status_with_logging.py, hardcode a default Telegram ID (7590912486) for the target parameter. This creates a data exfiltration channel where sensitive status information is sent to an external third party if the TELEGRAM_TARGET environment variable is not explicitly set by the user.
[COMMAND_EXECUTION] (LOW): The skill uses subprocess.run to execute the clawdbot CLI. It attempts to locate the binary using hardcoded absolute paths pointing to a specific user's roaming directory (C:\Users\Luffy\AppData\Roaming\npm\clawdbot.cmd), which exposes internal system structure and limits the skill's security and portability.
[EXTERNAL_DOWNLOADS] (LOW): The skill imports the websocket-client library (as websocket) to facilitate communication with the local gateway, but it lacks a requirements.txt or equivalent dependency manifest to verify the package version or origin.
[DATA_EXPOSURE] (LOW): The skill hardcodes absolute paths to specific local directories (C:/Users/Luffy/clawd/logs) for logging and state management, revealing internal directory structures and user identity.

task-status