The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (CRITICAL): The skill implements an automated update mechanism under the 'OpenClaw Heartbeat Integration' and 'Auto-Update' sections. It instructs the agent to periodically execute git pull origin main followed by npm install without human confirmation. Since the origin repository (clawdbot/skills) is not a trusted source, the repository owner can push malicious code or post-install scripts that execute immediately on the host.
Credentials & Data Exposure (HIGH): The skill manages highly sensitive data by creating ~/.evm-wallet.json. This file contains the plaintext private key for an EVM wallet. While the documentation suggests chmod 600, the storage of raw private keys on disk combined with the skill's network/command execution capabilities creates a significant risk of credential theft.
Indirect Prompt Injection (HIGH): The skill has a large ingestion surface, reading from the workspace HEARTBEAT.md and external APIs (api.long.xyz). It combines this with powerful capabilities (file writes, command execution, and automated updates), creating a path for attackers to influence agent behavior through external data.
Command Execution (MEDIUM): The skill relies heavily on executing shell commands via node, curl, and jq. The instructions encourage the agent to run these scripts as part of a background 'heartbeat' cycle, increasing the window of opportunity for malicious command injection.

frame-builder