The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's bootstrap phase uses the source command to load environment variables from files located in .claude/agents/ or services/approval_feedback_api/. Since source executes the content of the file in the current shell, it presents a risk of arbitrary command execution if an attacker can influence the contents of these files.
[DATA_EXFILTRATION]: Sensitive credentials, including OPENCLAW_MACHINE_SECRET and OPENCLAW_API_KEY, are read from the local filesystem and transmitted to the vendor's API endpoint via HTTP headers in curl requests. While this is the intended functionality for the service, it establishes a pattern of credential handling and transmission to a remote server.
[PROMPT_INJECTION]: The skill ingests untrusted social media posts to generate proposed replies, creating a vulnerability to indirect prompt injection.
Ingestion points: Local discovery briefs (~/.claude/skills/unclawg-discover/briefs/), user-pasted content, and external files.
Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions to isolate the untrusted social media text from the agent's generation prompt.
Capability inventory: The skill possesses shell execution capabilities (source, uc_feed, curl), file system access, and network communication.
Sanitization: No sanitization or validation of the source_post_text is performed before it is processed by the LLM.

unclawg-feed