The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to source the host's profile file (source "$HOME/.profile") to retrieve API keys for services like OpenAI and Anthropic. Loading credentials directly from local configuration files into the execution environment increases the risk of accidental exposure or leakage.
[COMMAND_EXECUTION]: The workflow relies heavily on executing shell commands and scripts on both the host and guest VMs, including prlctl for VM management and pnpm/npm for testing. It also involves dynamic script generation, such as writing and executing temporary shell scripts in guest environments.
[EXTERNAL_DOWNLOADS]: The skill performs several external operations, including downloading packages via npm/pnpm and curl. It specifically directs the guest VMs to download software tarballs from a host-side HTTP server and public registries.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it requires the agent to read and interpret log files (e.g., /tmp/openclaw-parallels-) generated by tests running in VMs. If these tests log untrusted data from external sources, an attacker could potentially influence the agent's behavior. * Ingestion points: Test log files in /tmp/openclaw-parallels- and guest-specific logs like macos-fresh.log. * Boundary markers: None present; the agent is instructed to "inspect" or "read the auto-dumped tail" of the logs without delimiters. * Capability inventory: The agent has capabilities to execute shell commands, manage virtual machines, and interact with provider APIs. * Sanitization: No validation or sanitization of the log content is mentioned before processing.

openclaw-parallels-smoke