Security Audit

review-pr

github.com/openclaw/openclaw

AI SkillCommit b62bd290cb4e

CAUTION

Scanned 1 day ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

review-pr received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unsanitized input in shell commands (Command Injection), Unsanitized input in gh CLI commands (Command Injection), Unsanitized input in ripgrep and git log commands (Command Injection).

The analysis covered 4 layers: manifest_analysis, static_code_analysis, llm_behavioral_safety, dependency_graph. The llm_behavioral_safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

5 findings

Dynamic Code

4 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Unsanitized input in shell commands (Command Injection) The skill's instructions provide shell command templates that directly embed placeholders like `<PR>`, `<keyword_from_pr_title>`, and `<function_or_component_name>` without explicit sanitization. If the LLM substitutes user-controlled input into these placeholders without proper escaping of shell metacharacters, an attacker could inject arbitrary commands. This is a direct path to arbitrary code execution. Instruct the LLM to sanitize all user-provided inputs (e.g., PR numbers, keywords) before embedding them into shell commands. This typically involves quoting or escaping shell metacharacters. For PR numbers, validate they are numeric. For string inputs, use `printf %q` or similar shell-specific escaping mechanisms.	Unknown	SKILL.md:40
CRITICAL	Unsanitized input in gh CLI commands (Command Injection) The skill instructs the LLM to use the `gh` CLI with a placeholder `<PR>` directly. If the LLM substitutes user-controlled input for `<PR>` without sanitization, an attacker could inject arbitrary commands or manipulate the `gh` command's behavior, leading to unauthorized actions or data exfiltration. Instruct the LLM to strictly validate and sanitize the PR number to ensure it is a valid integer or URL format before passing it to `gh` commands. Implement explicit input validation and escaping for all arguments derived from user input.	Unknown	SKILL.md:60
CRITICAL	Unsanitized input in ripgrep and git log commands (Command Injection) The skill uses placeholders like `<keyword_from_pr_title>` directly in `rg` (ripgrep) and `git log --grep` commands. If these keywords are derived from user-controlled PR titles or descriptions without sanitization, an attacker could inject shell metacharacters, leading to arbitrary command execution. Instruct the LLM to sanitize all keyword inputs before embedding them into `rg` or `git log` commands. This may involve quoting the entire search string or escaping specific characters that have special meaning in the shell or regex context.	Unknown	SKILL.md:79
HIGH	Explicit assumption of excessive permissions The skill explicitly states, 'Assume OpenClaw subagents run with full disk access, including git, gh, and shell.' This indicates that the skill is designed to operate in an environment with broad, unconstrained access to the filesystem and the ability to execute arbitrary shell commands. While the use of a worktree provides some isolation, the underlying permissions are excessive and amplify the impact of any command injection or other vulnerabilities, potentially leading to full system compromise. Re-evaluate the necessity of 'full disk access' and 'shell' for the skill's operation. Implement a principle of least privilege, restricting the agent's permissions to only what is strictly required. If full shell access is unavoidable, implement robust sandboxing and strict input sanitization for all commands executed.	Unknown	SKILL.md:150
MEDIUM	Potential supply chain risk with package installation The skill includes the command `pnpm install --frozen-lockfile` to bootstrap dependencies. While `--frozen-lockfile` helps ensure deterministic installs based on the `pnpm-lock.yaml`, it does not protect against a compromised `pnpm-lock.yaml` file itself or malicious packages listed within it. If the repository's lockfile is compromised or points to malicious registries/packages, this command could introduce malicious code into the worktree, which operates under 'full disk access'. Implement additional checks for the integrity of `pnpm-lock.yaml` (e.g., checksum verification against a trusted source). Consider using a private package registry with strict security policies. Ensure that the environment where `pnpm install` runs is isolated and has minimal network access to prevent exfiltration during installation.	Unknown	SKILL.md:175

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ddad4f45b304eeb8.svg)](https://skillshield.io/report/ddad4f45b304eeb8)