The Agent Skills Directory

[COMMAND_EXECUTION]: In Step 7, the skill uses the eval command to execute curl for testing the gateway connection. The $AUTH_HEADER and $GATEWAY_URL variables, which are populated directly from user input, are interpolated into the shell command string. An attacker could provide a URL or header containing shell metacharacters (e.g., ;, `, $(...)) to execute arbitrary commands on the host system.\n- [CREDENTIALS_UNSAFE]: The skill prompts users for sensitive 'Authorization' headers (such as Bearer tokens) and writes them in cleartext to the ~/.claude/omc_config.openclaw.json file. This exposes long-lived authentication credentials to any local user or process with read access to the directory.\n- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by allowing users to define instruction templates that incorporate untrusted session data which is then sent to external gateways.\n
Ingestion points: Runtime data such as user prompts ({{prompt}}), questions ({{question}}), and tool names ({{toolName}}) used in the templates defined in Step 5.\n
Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the template construction.\n
Capability inventory: The skill can perform arbitrary network requests via curl and write to the filesystem using jq and mkdir.\n
Sanitization: No sanitization, escaping, or validation of the interpolated variables is performed before transmission.

configure-openclaw