The Agent Skills Directory

[COMMAND_EXECUTION] (SAFE): Scripts like check-active-subagents.js and check-dirty-repos.js utilize execSync and spawnSync to interact with local CLI tools (openclaw and git). These operations are restricted to environmental state checks and use proper sanitization (e.g., integer parsing for timing arguments) to prevent shell injection.- [PROMPT_INJECTION] (LOW): The skill employs strong behavioral constraints in post-task-protocol.md and QUEUE-ENFORCEMENT-EXAMPLES.md, instructing the agent to prioritize the task queue over human interaction ('MANDATORY', 'MUST', 'DO NOT ask'). These are identified as functional steering prompts designed for autonomy and do not target agent safety protocols.- [Indirect Prompt Injection] (LOW): The check-queue.js script processes tasks/QUEUE.md, which serves as an untrusted ingestion point. Evidence chain: 1. Ingestion: check-queue.js reading tasks/QUEUE.md. 2. Boundaries: Relies on markdown structure; no explicit 'ignore' delimiters. 3. Capabilities: Script execution and subagent spawning via openclaw. 4. Sanitization: Uses regex for priority extraction rather than interpreting task text as code.- [DATA_EXPOSURE] (SAFE): The lib/sessionActivity.js library reads local session logs to determine subagent activity levels. This access is limited to the local workspace with no evidence of remote exfiltration or credential harvesting.

agent-autonomy-kit