The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill scripts (scripts/feishu_send_video.py) and agent instructions (SKILL.md) access the platform's global configuration file located at ~/.openclaw/openclaw.json (also referenced via the hardcoded path /home/ec2-user/.openclaw/openclaw.json). This file contains sensitive credentials for messaging channels (e.g., Feishu appId and appSecret) which are exposed to the skill's environment.
[DATA_EXFILTRATION]: Instructions in SKILL.md (Section 0) direct the agent to read secrets from the platform's main configuration file and transmit them via network requests to the open.feishu.cn API to obtain access tokens. While this targets an official service, the pattern of accessing global platform secrets and transmitting them over the network is high-risk.
[COMMAND_EXECUTION]: The skill dynamically constructs shell commands using user-supplied data (messages, media URLs) and executes them using the sessions_spawn tool in scripts/medeo_video.py. Additionally, SKILL.md instructs the agent to execute a Python block that performs file reads and network operations directly.
[EXTERNAL_DOWNLOADS]: The script scripts/medeo_video.py includes functionality to download media from arbitrary external URLs provided by the user using the requests library, which can be used to interact with internal or external network resources.

medeo-video