Freelance Pilot

Type: OpenClaw Skill Name: freelance-pilot Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability present in the `INTEGRATION.md` file. The instructions for the OpenClaw agent explicitly direct it to execute shell commands like `node freelance-pilot/index.js scan-job "[job text]"` and `node freelance-pilot/index.js calculate-bid [hours] [complexity]`. If the agent does not properly sanitize or escape the user-provided `[job text]`, `[hours]`, or `[complexity]` inputs before executing these commands, a malicious user could inject arbitrary shell commands, leading to remote code execution on the host system. While the `index.js` script itself appears benign, the integration instructions create a significant attack surface.