The Agent Skills Directory

[COMMAND_EXECUTION] (CRITICAL): The autoForward function in scripts/webhook-server.js executes shell commands using templates defined in neighboring skills' skill.json files.
Evidence: Lines 196-200: command = command.replace('{{meeting_id}}', meetingId); followed by execFile('sh', ['-c', command], ...).
Vulnerability: The meetingId is extracted directly from the untrusted webhook body via resolvePath (Line 191) without any sanitization or validation. An attacker can use shell metacharacters (e.g., ;, &, |, `) in the webhook payload to execute arbitrary system commands.
[REMOTE_CODE_EXECUTION] (HIGH): The skill implements a 'confused deputy' pattern by discovering and executing commands defined in other skills.
Evidence: discoverWebhookSkills() (Lines 60-93) scans all sibling directories and parses skill.json for webhookCommands.
Risk: A malicious skill installed in the same environment can leverage this skill to gain persistent execution triggered by external network events, bypassing local security boundaries.
[DATA_EXFILTRATION] (MEDIUM): The skill automatically processes and broadcasts incoming webhook data which may contain sensitive information.
Evidence: process.stdout.write (Line 218) and notifyUser (Line 228) leak the full webhook payload to system logs and external messaging channels (WhatsApp/Telegram via the OpenClaw CLI).
Risk: Sensitive PII, meeting IDs, or API tokens delivered via webhooks are exposed to unintended logs and third-party notification platforms.
[EXTERNAL_DOWNLOADS] (LOW): Relies on the @ngrok/ngrok package which downloads the ngrok binary at runtime.
Note: This is a trusted dependency per [TRUST-SCOPE-RULE], but the functionality inherently exposes local ports to the public internet, significantly increasing the attack surface.

ngrok-unofficial-webhook-skill