The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/sync_reminders.ts constructs shell commands for the clawdbot CLI by interpolating habit names directly into a command string. Because these names are provided by the user via manage_habit.ts and are not sanitized or escaped before being used in a shell context, an attacker could create a habit with a name containing shell metacharacters (e.g., $(command) or ; command) to achieve arbitrary code execution.\n- [COMMAND_EXECUTION]: The skill frequently uses execSync to run internal scripts and platform commands (found in check_cron_jobs.ts, coaching-engine.ts, and init_skill.ts). The pattern of building shell command strings from dynamic variables throughout the codebase presents a systemic risk of command injection.\n- [EXTERNAL_DOWNLOADS]: During installation (install.sh) and maintenance, the skill downloads external Node.js dependencies from the NPM registry. While the packages (e.g., @napi-rs/canvas, chrono-node) are well-known, this remains a vector for supply chain risks.\n- [PROMPT_INJECTION]: The skill processes untrusted user input using the parse_natural_language.ts script. This data is subsequently used to populate habit metadata and integrated into automated prompts and coaching messages. The absence of robust boundary markers or sanitization for this content creates a surface for indirect prompt injection, which could be used to manipulate agent behavior during scheduled coaching sessions.

habit-flow