The Agent Skills Directory

[DATA_EXFILTRATION]: The script scripts/test-payment.sh is configured to read a PRIVATE_KEY from a local environment file (~/.openclaw/workspace/scripts/x402-env.sh) and transmit it in a plain-text HTTP header (X-Payment-Private-Key) to a user-provided URL. This implementation facilitates the exfiltration of sensitive wallet credentials to arbitrary external endpoints.
[PROMPT_INJECTION]: The examples/ai-skill/server.js file implements an endpoint that fetches HTML from a user-supplied URL and includes large snippets (up to 12,000 characters) directly into a prompt for the Claude LLM. This design is highly susceptible to indirect prompt injection attacks where a malicious website could take control of the agent's behavior.
Ingestion points: Content is ingested from the url parameter in the /api/analyze POST route.
Boundary markers: The prompt uses basic text labels but lacks strong delimiters or specific instructions to the AI to ignore instructions found within the HTML snippet.
Capability inventory: The skill has the ability to run scaffolding scripts, create project files, and perform network requests.
Sanitization: The code does not perform any sanitization or filtering to detect or remove instructions from the fetched HTML.
[COMMAND_EXECUTION]: The scripts/scaffold.sh script automates the installation of project dependencies by executing npm install or pip install based on the selected template. While standard for developer tools, this results in the execution of external code during the project setup process.
[EXTERNAL_DOWNLOADS]: The skill references several external domains for its operation, including https://x402.org/facilitator for payment verification and the author's demo endpoint at https://clawr-dispatcher.ferdiboxman.workers.dev. These resources are used for core protocol functionality and testing.

clawr