The Agent Skills Directory

[DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses highly sensitive file paths containing authentication credentials: ~/.openclaw/agents/main/agent/auth-profiles.json (Anthropic API tokens), ~/.openclaw/credentials/telegram/*/token.txt (Telegram bot tokens), ~/.openclaw/credentials/bird/cookies.json (X/Twitter session cookies), and ~/.openclaw/openclaw.json (Main configuration containing channel auth and plugin settings).
[COMMAND_EXECUTION]: Provides numerous bash commands for system monitoring, log analysis, and process manipulation. It frequently uses jq to perform destructive edits on the main configuration file.
[UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: Facilitates the installation and execution of external modules and autonomous agents: Encourages use of clawdhub install and npx add-skill to download and integrate remote code from external repositories. It also documents the use of autonomous sub-agents (e.g., codex, claude) using flags like --full-auto or --yolo, which allow agents to execute generated code without manual approval.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted chat transcripts from various messaging platforms. 1. Ingestion points: Reads ~/.openclaw/agents/main/sessions/*.jsonl, which contains messages from WhatsApp, Signal, and Telegram. 2. Boundary markers: None; log content is parsed and rendered directly to the terminal/agent context. 3. Capability inventory: Config modification via jq, shell access, and sub-agent spawning. 4. Sanitization: No evidence of sanitization or filtering of the message content during parsing.
[PERSISTENCE_MECHANISMS]: Mentions and manages ~/.openclaw/cron/jobs.json, which defines scheduled autonomous tasks that persist across sessions.

openclaw-config