The Agent Skills Directory

[COMMAND_EXECUTION]: The Python script uses subprocess.run to call the openclaw CLI for browser automation. The path to this executable is configurable via the --openclaw-bin argument. If an attacker can influence the arguments passed to the script, they could potentially execute arbitrary local binaries by pointing this parameter to a system tool (e.g., /bin/sh).
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it scrapes abstracts from external websites and writes them to a database without sanitizing for malicious instructions.
Ingestion points: Data is ingested from external publisher websites reached via https://doi.org/ redirects based on DOI strings in the database.
Boundary markers: The scraped 'abstract' text is stored in the database without any delimiters or markers that would distinguish it as untrusted content to downstream AI agents.
Capability inventory: The script possesses database write permissions (UPDATE) and the ability to execute system commands through subprocess.run.
Sanitization: While the script performs whitespace normalization and removes prefixes like 'Abstract:', it does not filter for control characters, escape sequences, or natural language instructions that could hijack agent behavior later.
[EXTERNAL_DOWNLOADS]: The skill performs dynamic network requests to resolve DOIs and scrape content from various external academic publisher domains. This interaction with unverified third-party websites is a inherent part of its functionality but presents a risk of interacting with malicious or compromised servers.

kb-abstract-fetch