Coala Client

Type: OpenClaw Skill Name: skills-4 Version: 0.1.1 The SKILL.md documents the `coala-client` tool, which possesses high-risk capabilities. Specifically, it mentions an 'optional sandbox to run shell commands' via the `--sandbox` option, indicating potential arbitrary command execution. More critically, the skill instructs the agent on how to use `coala mcp-import` and `coala skill` to fetch and process content (CWL toolsets, skills) from arbitrary `http(s) URLs` or `.zip` files. The execution of `run_mcp.py` from imported toolsets and the loading of skill content from remote sources represent significant supply chain risks and potential remote code execution vulnerabilities if the agent is prompted to import from a malicious URL. While the skill itself does not contain malicious payloads, it describes and enables functionalities that are highly susceptible to exploitation.