Security Audit

darwintree/openclaw-skills:public/imas-cd-card

github.com/darwintree/openclaw-skills

AI SkillCommit 79a91adf29fd

CAUTION

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

darwintree/openclaw-skills:public/imas-cd-card received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 0 critical, 2 high, 2 medium, and 2 low severity. Key findings include Suspicious import: requests, Server-Side Request Forgery (SSRF) via user-controlled URL, Server-Side Request Forgery (SSRF) via user-controlled URL (image fetch).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 52/100, indicating areas for improvement.

Last analyzed on April 1, 2026 (commit 79a91adf). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

52%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

5 findings

Filesystem Write

2 findings

Shell Execution

3 findings

Excessive Permissions

3 findings

Security Findings6

Severity	Finding	Layer	Location
HIGH	Server-Side Request Forgery (SSRF) via user-controlled URL The skill fetches content from a user-provided `event_url` using `requests.get()`. A malicious user could provide a URL pointing to internal network resources, potentially allowing the skill to access sensitive internal services, scan internal networks, or exfiltrate data from other internal systems. This is a direct consequence of processing untrusted URLs. Implement strict URL validation (e.g., allowlist of domains, block private IP ranges, prevent redirects to internal IPs) before making HTTP requests to user-provided URLs. Consider using a dedicated proxy or service for external requests to isolate the skill from the internal network.	Static	scripts/render_cd_card.py:49
HIGH	Server-Side Request Forgery (SSRF) via user-controlled URL (image fetch) Similar to the main content fetch, the skill fetches cover images from URLs derived from the user-provided `event_url` using `requests.get()`. This presents another SSRF vector where a malicious user could potentially force the skill to fetch images from internal resources. Implement strict URL validation (e.g., allowlist of domains, block private IP ranges, prevent redirects to internal IPs) before making HTTP requests to user-provided URLs. Consider using a dedicated proxy or service for external requests to isolate the skill from the internal network.	Static	scripts/render_cd_card.py:140
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	public/imas-cd-card/scripts/render_cd_card.py:25
MEDIUM	Image parsing vulnerabilities from untrusted input The skill uses Pillow (`Image.open`) to process images fetched from external, user-controlled URLs. Maliciously crafted image files could exploit vulnerabilities in Pillow's parsing logic, potentially leading to denial of service, memory exhaustion, or, in rare cases, arbitrary code execution. While Pillow is generally robust, processing untrusted image data always carries this inherent risk. Ensure Pillow is always updated to the latest version to mitigate known vulnerabilities. Consider running image processing in a highly sandboxed environment or using a dedicated, hardened image processing service that is isolated from the main skill execution.	Static	scripts/render_cd_card.py:143
LOW	Unpinned dependencies in `uv run` commands Several dependencies (`pillow`, `requests`, `beautifulsoup4`, `qrcode`, `pytz`) are specified without version pinning in the `uv run` commands. This can lead to non-deterministic builds, unexpected behavior, or the introduction of vulnerabilities if a new, incompatible, or malicious version of a dependency is released. While `uv --isolated` helps, it doesn't prevent new versions from being pulled. Pin all dependencies to specific versions (e.g., `pillow==9.5.0`) to ensure deterministic builds and prevent unexpected changes or supply chain attacks from new versions. Regularly audit and update pinned dependencies.	Static	SKILL.md:19
LOW	Absolute font path implies specific filesystem access The skill specifies an absolute path for a font file (`/home/openclaw/.openclaw/workspace/assets/fonts/NotoSansCJKjp-Regular.otf`). This implies an expectation of specific filesystem access outside the skill's immediate directory. While not directly user-controlled in the provided examples, if the `--font` argument were to become user-controlled, it could potentially be used for arbitrary file reads or to load malicious font files if the font rendering library has vulnerabilities. It also indicates a dependency on a specific host environment setup. If possible, bundle necessary fonts within the skill package and use relative paths. If an external font is required, ensure the path is validated and restricted to a safe, read-only directory. If the `--font` argument can be user-controlled, implement strict validation to prevent path traversal or arbitrary file access.	Static	scripts/render_cd_cards_from_schedule.py:70

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/80f39aefa4602774.svg)](https://skillshield.io/report/80f39aefa4602774)