The Agent Skills Directory

[DATA_EXFILTRATION]: Sensitive token exposure via URL query parameters.
The skill uses the open command to send an access_token and refresh_token to https://unclawg.com/auth/cli-callback. This is a high-risk practice as it leaks credentials to local process logs, browser history, and network proxies.
[CREDENTIALS_UNSAFE]: Handling and local storage of secrets.
The skill manages OPENCLAW_MACHINE_SECRET, ACCESS_TOKEN, and REFRESH_TOKEN during the onboarding flow.
It writes these secrets to .claude/agents/${AGENT_ID}.env. While .env files are standard for local management, the automated creation of credential files is a sensitive operation.
[COMMAND_EXECUTION]: Extensive shell command usage.
The skill relies on shell commands including curl for API interaction, mkdir and cat for file system modification, and python3 for inline JSON encoding.
The ! dynamic context injection is not present, but the instructions provide raw bash scripts for the agent to execute.
[EXTERNAL_DOWNLOADS]: Network operations to external API.
The skill makes multiple POST and PUT requests to https://api.unclawg.com and https://unclawg.com to provision account resources and push configuration data.
[PROMPT_INJECTION]: Indirect prompt injection vulnerability.
Ingestion points: User-supplied email, agent name, and content from external URLs fetched via Task subagents in the 'Soul Interview' phase.
Boundary markers: Absent. The skill does not define clear delimiters or instruction-bypass warnings when processing the fetched content.
Capability inventory: Subprocess calls via curl, file system writes (mkdir, cat, cat > .claude/agents/...), and network exfiltration potential via the curl commands in SKILL.md.
Sanitization: Partial. It uses an inline Python script to JSON-encode the 'soul' content before sending it to the API, which mitigates simple schema confusion but does not prevent instruction injection.

unclawg-internet