The Agent Skills Directory

[DATA_EXFILTRATION] (MEDIUM): The skill is designed to access and back up highly sensitive application data. Specifically, backup-clawdbot-full.sh targets the ~/.clawdbot/credentials/ directory, which the documentation states contains authentication tokens and credentials. While the backup is stored locally in ~/.clawdbot-backups/, the programmatic handling of secrets is a high-privilege activity.
[COMMAND_EXECUTION] (MEDIUM): Both the backup and restore scripts (backup-clawdbot-full.sh, restore-clawdbot.sh) use jq to parse the clawdbot.json configuration file and dynamically construct paths for shell commands like tar, rm -rf, and mkdir. If an attacker were to modify the local configuration file to include malicious paths (e.g., in the workspace field), the scripts could be induced to perform unauthorized file deletions or overwrites within the user's permission scope.
[EXTERNAL_DOWNLOADS] (LOW): The skill's update workflow relies on fetching and pulling code from an external GitHub repository (https://github.com/clawdbot/clawdbot) and executing pnpm install. Although this is standard for application updates, the repository is not on the trusted source list, requiring the user to trust the upstream maintainers.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill has a surface for indirect injection as it processes data from clawdbot.json to determine its execution logic without robust path validation or boundary markers between the config data and shell commands.
Ingestion points: ~/.clawdbot/clawdbot.json (accessed by backup-clawdbot-full.sh and restore-clawdbot.sh).
Boundary markers: Absent; the script directly interpolates JSON values into shell strings.
Capability inventory: File deletion (rm -rf), directory creation (mkdir -p), archiving (tar), and package management (pnpm).
Sanitization: Minimal; agent IDs are transformed for filenames, but workspace paths are used directly as targets for tar and rm.

clawdbot-skill-update