clawdbot-for-vcs

Remove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.

Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.

Restrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.

Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.

Verify the authenticity of downloaded packages by checking GPG signatures or SHA-256 checksums against a trusted source. Do not rely solely on HTTPS for package integrity.

Likely FP if the package installation uses a well-known package manager (npm, pip) which already verifies package integrity by default.

Restrict email and messaging API access to user-initiated actions. Prevent automated sending that could exfiltrate data via email body or attachments.

Likely FP if the skill is an email client or messaging tool whose documented purpose is to send messages on behalf of the user.

Restrict email and messaging API access to user-initiated actions. Prevent automated sending that could exfiltrate data via email body or attachments.

Likely FP if the skill is an email client or messaging tool whose documented purpose is to send messages on behalf of the user.

Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.

Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.