Security Audit

AmrDab/clawd-cursor:root

github.com/AmrDab/clawd-cursor

AI SkillCommit d0945b73c3ce

CRITICAL

Scanned 26 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

AmrDab/clawd-cursor:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 31 findings: 26 critical, 3 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Unpinned npm dependency version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on March 12, 2026 (commit d0945b73). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

40%

Dependency Graph

93%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

24 findings

Filesystem Write

1 finding

Shell Execution

4 findings

Dynamic Code

4 findings

Excessive Permissions

1 finding

Security Findings31

Severity	Finding	Layer	Location
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:84
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:104
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:113
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:124
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:133
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:138
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:156
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:163
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:169
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:175
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:198
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	SKILL.md:207
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/browser-layer.ts:148
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/cdp-driver.ts:131
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:26
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:223
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:228
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:245
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:267
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:309
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:330
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:368
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:405
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	src/index.ts:414
CRITICAL	Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	src/index.ts:330
CRITICAL	Prompt Injection leading to Command/JavaScript Injection User-controlled input (the initial `task` and subsequent `subtask` strings) is directly embedded into LLM prompts for task decomposition (`AIBrain.decomposeTask`) and action decision (`AIBrain.decideNextAction`, `A11yReasoner.reason`, `ComputerUseBrain`). A malicious user can craft a prompt injection to manipulate the LLM's behavior. This could lead the LLM to generate `type` actions that exploit the Windows `SendKeys` vulnerability (SS-CMD-001) or `evaluateScript` actions that exploit the JavaScript injection vulnerability (SS-CMD-002). This chain of vulnerabilities allows an attacker to execute arbitrary commands on the user's system or in their browser. Implement robust prompt injection defenses. This includes: 1. Input sanitization: Filter or escape potentially malicious characters from user input before it reaches the LLM. 2. Output validation: Strictly validate and sanitize all LLM-generated actions and their parameters (especially `text` for `type` actions and `script` for `evaluate` actions) before execution. 3. Use a separate, hardened LLM for safety checks on generated actions. 4. Consider using a 'red teaming' approach to test for prompt injection vulnerabilities.	Static	src/ai-brain.ts:70
HIGH	Command Injection via Windows SendKeys The `scripts/interact-element.ps1` PowerShell script uses `[System.Windows.Forms.SendKeys]::SendWait($Value)` to simulate keystrokes. The `$Value` parameter is directly derived from user-controlled input (e.g., the `text` field of a `type` action generated by the LLM, or directly passed via `AccessibilityBridge.interactElement`). The `SendKeys` method is known to interpret special characters (`+`, `^`, `%`, `~`, `(`, `)`, `{`, `}`, `[`, `]`) as modifiers or commands. This allows an attacker to craft input that, when 'typed', executes arbitrary key combinations, potentially leading to system compromise (e.g., opening applications, executing commands via Run dialog, or manipulating other applications). Sanitize the `$Value` string before passing it to `SendKeys.SendWait` by escaping all special characters (e.g., by enclosing the string in curly braces `{}`). Alternatively, if the target UI element supports it, use `ValuePattern.SetValue` (via `invoke-element.ps1`) which directly sets the text content and is generally safer.	Static	scripts/interact-element.ps1:300
HIGH	JavaScript Injection in Browser Context via Playwright/CDP `evaluate` The `src/browser-layer.ts` and `src/cdp-driver.ts` modules expose `evaluate` (or `evaluateScript`) methods that execute arbitrary JavaScript code within the context of the user's browser page. If an attacker can control the `script` parameter passed to these methods (e.g., through a crafted task that the LLM is prompted to execute), they could execute malicious JavaScript. This could lead to data exfiltration (e.g., reading cookies, local storage, DOM content, API keys from web forms) or other malicious actions within the browser, bypassing browser security policies. Ensure that any `script` parameter passed to `page.evaluate` or similar methods is never derived from untrusted or user-controlled input. If dynamic script execution is required, strictly whitelist allowed scripts or use a secure sandboxing mechanism to limit the capabilities of the injected JavaScript.	Static	src/browser-layer.ts:400
HIGH	LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 26 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion.	LLM	(sanity check)
MEDIUM	Unpinned npm dependency version Dependency '@nut-tree-fork/nut-js' is not pinned to an exact version ('^4.2.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	package.json
INFO	Broadly Pinned Dependencies (Caret Ranges) The `package.json` and `package-lock.json` files use caret (`^`) ranges for most dependencies (e.g., `playwright: ^1.58.2`, `sharp: ^0.33.0`). While this allows for minor and patch updates, it means that new versions of these packages could be installed automatically, potentially introducing new vulnerabilities without explicit review. This is a common practice but represents a broader supply chain risk compared to exact pinning. Consider using exact version pinning for all production dependencies to ensure deterministic builds and reduce the risk of unexpected vulnerabilities introduced by new package versions. Regularly audit dependencies for known vulnerabilities using tools like `npm audit`.	Static	package.json:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2cf16db42d87e420.svg)](https://skillshield.io/report/2cf16db42d87e420)