Digiforma

The skill defines a `curl` command in `SKILL.md` that uses a placeholder `YOUR_GRAPHQL_QUERY`. While the command itself is necessary for the skill's stated purpose of querying a GraphQL API, this placeholder represents a potential shell injection vulnerability. If the OpenClaw agent does not properly sanitize or escape user-provided input before substituting it into `YOUR_GRAPHQL_QUERY`, a malicious user could inject arbitrary shell commands, leading to remote code execution. This is a significant risk, classifying the skill as suspicious due to the inherent vulnerability, even without clear evidence of intentional malicious design by the skill author.