The Agent Skills Directory

[PROMPT_INJECTION]: The skill identifies a potential surface for indirect prompt injection because it processes untrusted conversation data from MEMORY.md and CONTEXT.md to extract 'decisions' and 'tasks'.
Ingestion points: Untrusted text is read into score.py from the workspace directory.
Boundary markers: The script does not wrap extracted snippets in delimiters or include warnings for the agent to ignore embedded instructions within those snippets.
Capability inventory: The skill is restricted to reading and writing local files within the ~/.openclaw environment; it lacks network capabilities (no requests, urllib, or socket) and does not invoke subprocesses or shell commands.
Sanitization: Data extracted via regex is printed directly to stdout or saved to a YAML file without sanitization. While this could surface malicious instructions as 'blind spots', the skill itself does not execute them, and the risk is inherent to its primary diagnostic purpose.

context-assembly-scorer