The Agent Skills Directory

[PROMPT_INJECTION]: The skill facilitates inter-agent coordination, creating a surface for indirect prompt injection where malicious instructions could be embedded in inter-agent messages.
Ingestion points: The cmd_poll function in scripts/bus.py reads JSON-formatted task files from /root/.openclaw/team-bus/inbox/ and prints the title and description fields directly to the agent's context.
Boundary markers: The script does not utilize boundary markers or delimiters to isolate the message content, nor does it provide the LLM with instructions to ignore potential commands within the payload.
Capability inventory: Although the skill itself is limited to filesystem operations, it is designed to be used by agents with capabilities such as code execution and deployment, making them vulnerable to following instructions received via the bus.
Sanitization: There is no sanitization or validation of the message payload (title, description, or task ID) before it is processed by the agent. Additionally, the to_agent parameter in the send command lacks sanitization, which could theoretically allow for path traversal within the communication directory structure.

openclaw-team-bus