The Agent Skills Directory

[Data Exposure] (MEDIUM): The script scripts/swarm_entry.py programmatically reads ~/.openclaw/openclaw.json and /root/.openclaw/openclaw.json. These files typically contain sensitive API keys and provider credentials. While the script uses this data to 'detect' available models for the user, an attacker could potentially exploit this to leak credentials if they can trigger the script and observe its output.
[Indirect Prompt Injection] (LOW): The scripts/experience_logger.py script implements a mechanism to store 'experiences' that are later injected into agent prompts.
Ingestion points: scripts/experience_logger.py takes the experience parameter from the command line/agent output and writes it to experience.json and experience.md in the agent's workspace.
Boundary markers: The inject_experiences function in the script does not use specific delimiters or 'ignore' instructions to wrap the injected content.
Capability inventory: The agents defined in references/setup-guide.md (such as the 'coder' and 'automator') have high-privilege capabilities including exec, process, and file-writing tools.
Sanitization: There is no sanitization or validation of the experience content before it is stored or retrieved for injection.
[Command Execution] (LOW): The management scripts (config_checker.py, experience_logger.py, swarm_entry.py) utilize subprocess and file system operations (os.remove, mkdir). These are consistent with the skill's utility purpose but should be used within a restricted environment.

agent-swarm