The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill implements a 'Token Resolution' mechanism that explicitly targets sensitive configuration files located at $HOME/.openclaw/openclaw.json and /data/.clawdbot/openclaw.json. It uses jq and node -e to extract apiKey values from these files. Furthermore, it instructs sub-agents to perform the same harvesting logic at runtime.
[COMMAND_EXECUTION]: The skill uses git remote set-url with the GH_TOKEN embedded directly in the remote URL (e.g., https://x-access-token:$GH_TOKEN@github.com/...). This practice often leads to authentication tokens being stored in plain text within the local .git/config file, creating a persistent credential exposure risk on the disk.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted content from GitHub issue bodies, titles, and pull request reviews, which are then interpolated directly into the task prompts for spawned sub-agents. These sub-agents have the capability to execute shell commands, read/write files, and make network requests. An attacker could craft a malicious GitHub issue containing instructions to exfiltrate data or modify the codebase, which the sub-agent might execute.
Ingestion points: Phase 2 (GitHub Issues API) and Phase 6.2 (GitHub Review/Comments API).
Boundary markers: Uses <issue> and <review_comments> XML-style tags, but lacks explicit instructions for the agent to ignore potentially malicious commands within the ingested data.
Capability inventory: Sub-agents can execute git (push/commit), curl (network ops), grep/find (codebase search), and node -e (dynamic execution).
Sanitization: No evidence of sanitization or validation of the external GitHub content before it is processed by the AI sub-agents.

gh-issues