daily-info

Type: OpenClaw Skill Name: daily-info Version: 1.0.0 The skill is suspicious due to a critical shell injection vulnerability in `SKILL.md`. The `curl -s "wttr.in/城市名?lang=zh"` command allows arbitrary command execution if the `城市名` (city name) parameter is derived from unsanitized user input. Additionally, `SKILL.md` contains prompt injection instructions for the AI agent, such as controlling output formatting and suppressing error messages, which could be leveraged to hide malicious actions. While there's no direct evidence of intentional data exfiltration or persistence, the RCE risk makes this skill highly dangerous.