Workspace Anchor

Manages multi-agent projects by discovering, listing, switching, and validating workspace anchors using environment paths to prevent context drift.

This skill mostly does what its README says (find and manage .project-lock project files), but there are several red flags you should address before installing or running it on sensitive systems: - Interoperability bugs: create.js writes JSON lock files while discover/validate expect a plain-text NAME:/ROOT: format — the tool may not work as intended and could overwrite or create unusable lock files. - Broken shell command: validate.getCurrentProject contains a malformed execSync('bash -c ...') string; it will likely fail and may produce unexpected shell behavior. - Shell execution risks: the code runs find, cat, grep, sed and other shell commands with interpolated paths. If any path or env value is attacker-controlled or contains quoting characters, this could lead to command injection or accidental reading of unrelated files. Prefer replacing shell calls with native Node FS traversal or robustly sanitize/escape inputs. - File-write behavior: createLockFile will write .project-lock to arbitrary provided directories and may overwrite existing files without prompting. Recommendations: - Do not run this skill as a privileged user; test it in a disposable environment first. - Review and fix the create/discover format mismatch (choose either the textual protocol or JSON and make all components consistent). - Fix the malformed shell quoting in validate.getCurrentProject and remove unsafe shell pipelines; use native fs operations where possible. - Add explicit input sanitization/escaping for any path used in execSync, or avoid execSync entirely for path searches. - If you need the functionality but cannot audit/fix the code, avoid installing in environments with sensitive data. If the owner can provide an updated release that removes shell pipelines (or properly sanitizes inputs) and fixes the format/logic bugs, that would raise confidence in the skill.

Type: OpenClaw Skill Name: workspace-anchor Version: 1.0.0 The skill is classified as suspicious due to significant prompt injection risks in its agent instructions and the use of shell command execution. Both SKILL.md and README.md explicitly instruct the AI agent to use `exec`, `find`, or `ls` to locate files, granting broad shell execution capabilities. While the stated purpose is benign (finding `.project-lock` files), this instruction creates a vulnerability where a malicious follow-up prompt could leverage this granted capability for unauthorized actions. Additionally, the Node.js code in `lib/discover.js` and `lib/validate.js` uses `child_process.execSync` for system commands like `find` and `cat/grep/sed`, and to interact with an external `project-enforcer.sh` script, which, while quoted, represents powerful execution capabilities.