Date Night

Type: OpenClaw Skill Name: date-night Version: 1.4.0 The skill bundle exhibits multiple critical shell injection vulnerabilities (RCE risk) and significant prompt injection risks. Specifically, the `SKILL.md` file's onboarding flow, `references/smart-features.md`'s history update via `python3 -c`, and `references/sms-codes.md`'s config update all construct shell commands by directly interpolating user-controlled variables, creating a direct path for arbitrary command execution if input is not sanitized. Additionally, agent instructions in `SKILL.md` and `references/smart-features.md` are templated with user input, posing a prompt injection risk. While there is no clear evidence of intentional malicious behavior (e.g., exfiltration to an attacker-controlled server), these severe vulnerabilities make the skill highly exploitable.