Evolving Agent

```json { "classification": "suspicious", "summary": "The OpenClaw AgentSkills skill bundle is classified as suspicious due to multiple critical prompt injection and shell injection vulnerabilities. The most severe is a direct shell injection vulnerability found in `modules/programming-assistant/workflows/evolution-check.md`, where the agent is instructed to execute `echo \"问题：xxx → 解决：yyy\" | python ... knowledge summarize --auto-store`. If 'xxx' or 'yyy' (derived from user input or session content) contain shell metacharacters, this allows for arbitrary command execution. Additionally, several prompt injection vulnerabilities exist: `scripts/core/merge_evolution.py` and `scripts/core/smart_stitch.py` allow arbitrary `custom_prompts` to be written into `SKILL.md` (a prompt injection surface); `scripts/github/create_github_skill.py` writes potentially untrusted GitHub README content into new `SKILL.md` files; and `scripts/knowledge/summarizer.py` extracts user feedback/session content into the knowledge base, which is then retrieved and re-injected into the AI's context by `scripts/knowledge/query.py`, `scripts/knowledge/trigger.py`, and `scripts/programming/query_experience.py`. The `modules/knowledge-base/agents/retrieval-agent.md` and `modules/programming-assistant/workflows/full-mode.md`/`simple-mode.md` explicitly show user input