agentskill.sh
secured
acp-router
Route plain-language requests for Pi, Claude Code, Codex, OpenCode, Gemini CLI, or ACP harness work into either OpenClaw ACP runtime sessions or direct acpx-driven sessions ("telephone game" flow). For coding-agent thread requests, read this skill first, then use only `sessions_spawn` for thread ...
安全评分
这个标签页按审计报告样式展示检测范围、问题列表和源片段。
高危 / 中危 / 低危
检测类别
指令边界文件系统写入网络引用平台安装流程
安全问题
高危
Command Injection
第 98 行
Template literal with variable interpolation in command context
- verify `${ACPX_CMD} --version`
高危
Command Injection
第 137 行
Template literal with variable interpolation in command context
1. Use `exec` commands that call `${ACPX_CMD}`.
中危
Command Injection
第 155 行
Template literal with variable interpolation in command context
```bash
中危
Command Injection
第 164 行
Template literal with variable interpolation in command context
```bash
中危
Command Injection
第 170 行
Template literal with variable interpolation in command context
```bash
中危
Command Injection
第 176 行
Template literal with variable interpolation in command context
```bash
高危
Command Injection
第 214 行
Template literal with variable interpolation in command context
- `NO_SESSION`: run `${ACPX_CMD} <agent> sessions new --name <sessionName>` then retry prompt.
中危
File Access
第 200 行
Access to hidden dotfiles in home directory
If `~/.acpx/config.json` overrides `agents`, those overrides replace defaults.
中危
File Access
第 211 行
Access to hidden dotfiles in home directory
- for thread-spawn ACP requests, first restore built-in defaults by removing broken `~/.acpx/config.json` agent overrides缓解建议
Review the upstream repository before copying files into a local skills directory.
Confirm install instructions and supported runtimes against SKILL.md instead of a generic readme.