The Agent Skills Directory

[PROMPT_INJECTION]: The scripts/search.sh script directly interpolates the user-provided --prompt into the SEARCH_INSTRUCTION variable. This allows an attacker to inject instructions that could override the LLM's behavior, potentially leading to unauthorized data access or file system manipulation through the Codex CLI tool.
[DATA_EXPOSURE]: The script reads sensitive authentication information from /home/ubuntu/.openclaw/openclaw.json. Specifically, it extracts HOOK_TOKEN, which is then used to authenticate requests to a local API endpoint (/hooks/wake).
[DATA_EXFILTRATION]: The skill implements a Telegram notification feature that uses the --telegram-group parameter. A malicious user could provide a Chat ID they control to receive summaries of search results, which might include sensitive information gathered during the search process.
[COMMAND_EXECUTION]: The skill executes shell commands and external CLI tools (codex, openclaw, jq, curl) using arguments directly derived from user input, such as --output, --task-name, and --model. This increases the risk of command injection if parameters are not strictly validated.
[INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through web content.
Ingestion points: Untrusted web content is fetched via the codex CLI and written to the output file.
Boundary markers: No delimiters or instructions are used to separate search results from the agent's core instructions.
Capability inventory: The skill can write to files, send messages to Telegram, and trigger local webhooks via curl.
Sanitization: No sanitization or validation of the fetched web content is performed before processing or summarization.

codex-deep-search