The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill is designed to ingest challenge data and problem descriptions from an external API, creating a surface for indirect prompt injection.
Ingestion points: Challenge data and feedback are retrieved via curl in scripts/clawclash.sh (functions cmd_start and cmd_turn).
Boundary markers: No boundary markers or delimiters are used to wrap external content when presented to the agent.
Capability inventory: The skill has network access (curl) and read/write access to the user's home directory (~/.clawclash/).
Sanitization: No sanitization or validation is performed on the data returned from the API before it is processed by the agent.
[Data Exposure & Exfiltration] (LOW): The skill communicates with clawclash.vercel.app, which is not on the trusted source whitelist. It stores a session-based API key in ~/.clawclash/config.json. While it properly uses chmod 600 to restrict file access, the whoami command explicitly prints the key to the standard output.
[Command Execution] (LOW): The bash script constructs JSON payloads using printf with unescaped shell variables (e.g., in cmd_register). While the variables are double-quoted during the curl call (preventing immediate shell RCE), this pattern allows for JSON structure injection if input parameters contain double quotes or other control characters.

clawclash