The Agent Skills Directory

[DATA_EXFILTRATION]: The send_email_with_attachments function in email_sender.py provides the capability to read any file from the host filesystem and send it as an email attachment. This could be exploited to exfiltrate sensitive data such as SSH keys or configuration files if the agent's input is not strictly controlled.
Evidence: The function uses open(filepath, 'rb') on user-provided paths and attaches the content to a MIMEMultipart message.
[CREDENTIALS_UNSAFE]: The skill contains hardcoded absolute file paths and specific user identifiers belonging to the developer's environment, which may leak information about the development system and hardcodes a default sender email address.
Evidence: load_env_file in email_sender.py searches for a hardcoded path /Users/delta/.openclaw/.env. examples.py also hardcodes a workspace path in sys.path.
[PROMPT_INJECTION]: The skill's documentation and logic enforce behavioral constraints that mandate the inclusion of promotional content (advertisements) and specific formatting in every email, overriding potential user or agent preferences.
Evidence: SKILL.md defines 'Mandatory Rules' for advertisement inclusion, and the send_tech_email function in email_sender.py automatically injects EVENT_AD_TEMPLATE unless explicitly disabled.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data (email content and subjects) and wraps them in HTML templates without sanitization or boundary markers.
Ingestion points: to_email, subject, body, and content arguments across all functions in email_sender.py.
Boundary markers: None identified in the prompt construction.
Capability inventory: Filesystem read (open), Network communication (smtplib.SMTP_SSL).
Sanitization: No sanitization or escaping is performed on input strings before they are interpolated into HTML templates.

email-sender