Security Audit

erc-8004

github.com/BankrBot/openclaw-skills

AI SkillCommit 66de0a1e3577

CAUTION

Scanned 5 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

erc-8004 received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 15 findings: 12 critical, 3 high, 0 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Command Injection via Node.js `node -e` with unsanitized input, Prompt Injection via `bankr prompt` with unsanitized input.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The llm_behavioral_safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 15, 2026 (commit 66de0a1e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

85%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

8 findings

Filesystem Write

8 findings

Shell Execution

9 findings

Dynamic Code

13 findings

Excessive Permissions

1 finding

Security Findings15

Severity	Finding	Layer	Location
CRITICAL	Command Injection via Node.js `node -e` with unsanitized input Multiple scripts construct and execute a Node.js command using `node -e` where user-controlled or derived variables are directly interpolated into the JavaScript string. If these variables contain characters like single quotes, double quotes, backticks, or other JavaScript metacharacters, an attacker can break out of the string and execute arbitrary Node.js code, leading to command injection. Sanitize all variables interpolated into `node -e` commands. For string values, ensure they are properly escaped for JavaScript string literals (e.g., using `JSON.stringify()` or a custom escaping function) before interpolation. Alternatively, pass data via environment variables or temporary files rather than direct string interpolation.	Unknown	scripts/get-agent.sh:40
CRITICAL	Command Injection via Node.js `node -e` with unsanitized input Multiple scripts construct and execute a Node.js command using `node -e` where user-controlled or derived variables are directly interpolated into the JavaScript string. If these variables contain characters like single quotes, double quotes, backticks, or other JavaScript metacharacters, an attacker can break out of the string and execute arbitrary Node.js code, leading to command injection. Sanitize all variables interpolated into `node -e` commands. For string values, ensure they are properly escaped for JavaScript string literals (e.g., using `JSON.stringify()` or a custom escaping function) before interpolation. Alternatively, pass data via environment variables or temporary files rather than direct string interpolation.	Unknown	scripts/register-http.sh:40
CRITICAL	Command Injection via Node.js `node -e` with unsanitized input Multiple scripts construct and execute a Node.js command using `node -e` where user-controlled or derived variables are directly interpolated into the JavaScript string. If these variables contain characters like single quotes, double quotes, backticks, or other JavaScript metacharacters, an attacker can break out of the string and execute arbitrary Node.js code, leading to command injection. Sanitize all variables interpolated into `node -e` commands. For string values, ensure they are properly escaped for JavaScript string literals (e.g., using `JSON.stringify()` or a custom escaping function) before interpolation. Alternatively, pass data via environment variables or temporary files rather than direct string interpolation.	Unknown	scripts/register-onchain.sh:60
CRITICAL	Command Injection via Node.js `node -e` with unsanitized input Multiple scripts construct and execute a Node.js command using `node -e` where user-controlled or derived variables are directly interpolated into the JavaScript string. If these variables contain characters like single quotes, double quotes, backticks, or other JavaScript metacharacters, an attacker can break out of the string and execute arbitrary Node.js code, leading to command injection. Sanitize all variables interpolated into `node -e` commands. For string values, ensure they are properly escaped for JavaScript string literals (e.g., using `JSON.stringify()` or a custom escaping function) before interpolation. Alternatively, pass data via environment variables or temporary files rather than direct string interpolation.	Unknown	scripts/register.sh:70
CRITICAL	Command Injection via Node.js `node -e` with unsanitized input Multiple scripts construct and execute a Node.js command using `node -e` where user-controlled or derived variables are directly interpolated into the JavaScript string. If these variables contain characters like single quotes, double quotes, backticks, or other JavaScript metacharacters, an attacker can break out of the string and execute arbitrary Node.js code, leading to command injection. Sanitize all variables interpolated into `node -e` commands. For string values, ensure they are properly escaped for JavaScript string literals (e.g., using `JSON.stringify()` or a custom escaping function) before interpolation. Alternatively, pass data via environment variables or temporary files rather than direct string interpolation.	Unknown	scripts/update-profile.sh:40
CRITICAL	Prompt Injection via `bankr prompt` with unsanitized input Multiple scripts use `bankr prompt` to interact with an LLM, directly interpolating user-controlled or derived variables into the prompt string. An attacker could craft malicious input (e.g., for `$AMOUNT`, `$REGISTRATION_URL`, `$IPFS_URI`, `$NEW_URI`) to manipulate the `bankr` LLM, potentially leading to unintended actions, data leakage, or other prompt injection attacks. All user-controlled or derived input passed to `bankr prompt` must be strictly sanitized or passed as structured data parameters if the `bankr` CLI supports it. Avoid direct string interpolation of untrusted input into LLM prompts. Consider using a dedicated LLM interaction library that handles input sanitization and structured prompting.	Unknown	scripts/bridge-to-mainnet.sh:20
CRITICAL	Prompt Injection via `bankr prompt` with unsanitized input Multiple scripts use `bankr prompt` to interact with an LLM, directly interpolating user-controlled or derived variables into the prompt string. An attacker could craft malicious input (e.g., for `$AMOUNT`, `$REGISTRATION_URL`, `$IPFS_URI`, `$NEW_URI`) to manipulate the `bankr` LLM, potentially leading to unintended actions, data leakage, or other prompt injection attacks. All user-controlled or derived input passed to `bankr prompt` must be strictly sanitized or passed as structured data parameters if the `bankr` CLI supports it. Avoid direct string interpolation of untrusted input into LLM prompts. Consider using a dedicated LLM interaction library that handles input sanitization and structured prompting.	Unknown	scripts/register-http.sh:54
CRITICAL	Prompt Injection via `bankr prompt` with unsanitized input Multiple scripts use `bankr prompt` to interact with an LLM, directly interpolating user-controlled or derived variables into the prompt string. An attacker could craft malicious input (e.g., for `$AMOUNT`, `$REGISTRATION_URL`, `$IPFS_URI`, `$NEW_URI`) to manipulate the `bankr` LLM, potentially leading to unintended actions, data leakage, or other prompt injection attacks. All user-controlled or derived input passed to `bankr prompt` must be strictly sanitized or passed as structured data parameters if the `bankr` CLI supports it. Avoid direct string interpolation of untrusted input into LLM prompts. Consider using a dedicated LLM interaction library that handles input sanitization and structured prompting.	Unknown	scripts/register-onchain.sh:74
CRITICAL	Prompt Injection via `bankr prompt` with unsanitized input Multiple scripts use `bankr prompt` to interact with an LLM, directly interpolating user-controlled or derived variables into the prompt string. An attacker could craft malicious input (e.g., for `$AMOUNT`, `$REGISTRATION_URL`, `$IPFS_URI`, `$NEW_URI`) to manipulate the `bankr` LLM, potentially leading to unintended actions, data leakage, or other prompt injection attacks. All user-controlled or derived input passed to `bankr prompt` must be strictly sanitized or passed as structured data parameters if the `bankr` CLI supports it. Avoid direct string interpolation of untrusted input into LLM prompts. Consider using a dedicated LLM interaction library that handles input sanitization and structured prompting.	Unknown	scripts/register.sh:84
CRITICAL	Prompt Injection via `bankr prompt` with unsanitized input Multiple scripts use `bankr prompt` to interact with an LLM, directly interpolating user-controlled or derived variables into the prompt string. An attacker could craft malicious input (e.g., for `$AMOUNT`, `$REGISTRATION_URL`, `$IPFS_URI`, `$NEW_URI`) to manipulate the `bankr` LLM, potentially leading to unintended actions, data leakage, or other prompt injection attacks. All user-controlled or derived input passed to `bankr prompt` must be strictly sanitized or passed as structured data parameters if the `bankr` CLI supports it. Avoid direct string interpolation of untrusted input into LLM prompts. Consider using a dedicated LLM interaction library that handles input sanitization and structured prompting.	Unknown	scripts/update-profile.sh:54
CRITICAL	Shell Command Injection via Heredoc and `jq` with unsanitized environment variables The `create-registration.sh` script constructs a JSON file using a heredoc (`cat << EOF`) and `jq` commands. Environment variables (`AGENT_NAME`, `AGENT_DESCRIPTION`, `AGENT_IMAGE`, `AGENT_WEBSITE`, etc.) are directly interpolated into the heredoc and `jq` arguments without proper sanitization. If these variables contain shell metacharacters (e.g., backticks, dollar signs, quotes) or JSON-breaking characters, an attacker could inject arbitrary shell commands or malformed JSON, leading to command execution or denial of service. Ensure all environment variables interpolated into shell commands or JSON structures are properly sanitized. For JSON, use `jq -n --arg name "$NAME" ... '{name: $name}'` to safely inject values. For heredocs, either escape all special characters in the variables or use a different method for constructing the JSON, such as a dedicated JSON library or `jq`'s object construction capabilities.	Unknown	scripts/create-registration.sh:46
CRITICAL	Shell Command Injection via `curl -F` with unsanitized file path The `upload-to-ipfs.sh` script uses `curl -F "file=@$JSON_FILE"` where `$JSON_FILE` is a user-controlled argument. If `$JSON_FILE` contains shell metacharacters (e.g., `;`, `\|`, `&`, `$(...)`), an attacker could inject and execute arbitrary shell commands. Sanitize the `$JSON_FILE` variable to ensure it does not contain any shell metacharacters. A safer approach would be to validate the file path strictly or use a programming language's file handling capabilities that are not susceptible to shell injection.	Unknown	scripts/upload-to-ipfs.sh:28
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Unknown	/tmp/skillscan-clone-s1me5ux3/repo/erc-8004/scripts/register-onchain.sh:43
HIGH	Shell Command Injection via `curl` with unsanitized URL The `get-agent.sh` script fetches content using `curl -s "$URI"` where `$URI` is derived from on-chain data. While the URL is quoted, if the on-chain `URI` contains shell command substitution (`$(command)`) or other `curl` argument injection patterns (e.g., `http://example.com -o /dev/null; rm -rf /`), it could lead to arbitrary command execution. Strictly validate and sanitize the `URI` before passing it to `curl`. Ensure it conforms to expected URL formats and does not contain any characters that could be interpreted as shell commands or `curl` arguments. Consider using a dedicated HTTP client library in a safer language (e.g., Node.js) that does not expose shell execution risks.	Unknown	scripts/get-agent.sh:53
HIGH	Arbitrary File Write via user-controlled output path The `create-registration.sh` script allows the user to specify the output file path as the first argument (`$1`). If the agent has sufficient filesystem permissions, an attacker could provide an arbitrary path (e.g., `/etc/passwd`, `/root/.ssh/authorized_keys`) to overwrite critical system files with the generated JSON content, leading to privilege escalation or system compromise. Restrict the output file path to a safe, temporary directory (e.g., `/tmp/`) and generate a unique filename. Do not allow users to specify arbitrary file paths for writing. If a specific output location is required, implement strict validation to ensure it's within an allowed, non-sensitive directory.	Unknown	scripts/create-registration.sh:15

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a9f19bc495ceda7f.svg)](https://skillshield.io/report/a9f19bc495ceda7f)