The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation outlines an 'exec' tool used for shell command execution. While it implements security guardrails via 'deny patterns' (blocking destructive commands like rm -rf, sudo, and chmod), the inherent capability allows an AI agent to run arbitrary shell code on the host system.
[REMOTE_CODE_EXECUTION]: PicoClaw allows users to install 'skills' directly from GitHub repository slugs (e.g., 'picoclaw skills install sipeed/picoclaw-skills'). This mechanism facilitates the download and execution of external logic without verification from standard package registries, bypassing supply chain security controls.
[EXTERNAL_DOWNLOADS]: The configuration supports external skill registries such as 'ClawHub'. Fetching extensions from unverified third-party sources increases the risk of installing malicious or compromised components.
[CREDENTIALS_UNSAFE]: The system stores sensitive information, including API keys and OAuth tokens, in local JSON files (~/.picoclaw/config.json and auth.json). Storing secrets in accessible files on the filesystem poses a risk of credential exposure if the agent is compromised or the host is accessed.
[PROMPT_INJECTION]: The skill possesses a significant surface for indirect prompt injection by ingesting untrusted data from multiple chat channels (Telegram, Discord, WhatsApp, etc.). 1. Ingestion points: Messages received through integrated chat channels described in references/channels.md. 2. Boundary markers: No explicit mention of delimiters or instructions to ignore embedded commands in the documentation. 3. Capability inventory: High-risk tools including the 'exec' shell tool and the skill installation manager. 4. Sanitization: Employs regex-based 'deny patterns' for the exec tool, but these do not prevent the agent from obeying malicious instructions embedded in user messages.

picoclaw