The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is designed to directly execute shell commands on the host system, including docker-compose, npm, and winget. It explicitly instructs the agent to 'execute the necessary commands yourself' rather than just providing guidance.
[PERSISTENCE]: In Phase 5, the skill automates the creation of startup scripts and offers to register them to system startup locations, specifically shell:startup on Windows and systemd or cron on Linux. This allows the software to maintain persistence across reboots.
[CREDENTIALS_UNSAFE]: The workflow requires the collection of sensitive credentials, including Feishu App ID and App Secret, as well as LLM API keys. These are stored in .env files and potentially handled in cleartext during the automation process.
[EXTERNAL_DOWNLOADS]: The skill modifies the system's global NPM configuration to use a third-party registry (https://registry.npmmirror.com/) and installs external packages like @openclaw/feishu via npm install.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it interpolates user-provided data—such as model names, domain IPs, and authentication codes—directly into shell commands (e.g., docker-compose exec openclaw openclaw models fallbacks add <backup_model_name>). There is no evidence of input sanitization or boundary markers to prevent command injection via these variables.

figo-openclaw-installer