The Agent Skills Directory

[COMMAND_EXECUTION]: The skill manages the configuration of 'custom_cli_command' and 'openclaw' gateways, which allow the agent to write arbitrary shell command templates to the persistent configuration file located at ~/.codex/.omx-config.json. These commands are intended to be executed automatically when specific system events occur.
[COMMAND_EXECUTION]: The skill uses bash scripts with jq to read and modify the local configuration file. Malicious input during the configuration steps (Step 4a, 4b) could lead to the injection of unintended shell commands.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from the ~/.codex/.omx-config.json configuration file and user-provided inputs via 'AskUserQuestion', then interpolates these values into instruction templates (e.g., {{instruction}}, {{question}}) used by the notification agent. The absence of strict boundary markers between the instruction and variable data could allow an attacker who influences the system event data to manipulate the notification agent's behavior.
[DATA_EXPOSURE]: The skill reads and writes Discord, Telegram, and Slack bot tokens and webhooks to a local JSON file. While this is the intended purpose, these credentials are stored in plain text within the application's configuration directory.

configure-notifications