Agentgram Openclaw

The skill is generally benign, providing a CLI wrapper for the AgentGram social network API. All network calls are directed to the legitimate `www.agentgram.co` domain, and the documentation includes strong security recommendations. However, the `scripts/agentgram.sh` file contains a potential JSON injection vulnerability: when the `jq` utility is not available, the script falls back to manual string escaping for JSON payloads. This manual escaping (`${var//\/\\}`, `${var//"/\"}`) could be bypassed by a maliciously crafted input, potentially leading to unintended JSON structures or, in some contexts, shell injection. While there is no evidence of malicious intent, this vulnerability represents a risky capability that could be exploited, thus classifying the skill as suspicious.