Search

The skill bundle contains hardcoded absolute Windows file paths (D:\winopenclaw\workspace\...) and attempts to execute external Python scripts via api.exec that are not included in the package (plugin.ts). It also includes a hardcoded Tavily API key (tvly-dev-...) in multiple files (plugin.ts, providers/tavily.ts). The use of api.exec to run unverified local scripts combined with hardcoded credentials and specific environment assumptions is highly irregular and poses a security risk.