Security Audit
jaim12005/openclaw-skill-repoprompt:root
github.com/jaim12005/openclaw-skill-repopromptTrust Assessment
jaim12005/openclaw-skill-repoprompt:root received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 1 critical, 4 high, 4 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Excessive Filesystem Permissions, Direct Prompt Injection via Task Argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit cb5ac448). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Prompt Injection via Task Argument The `scripts/agent-safe.sh` script directly embeds the user-controlled `$TASK` variable into a heredoc that forms the prompt for the LLM. An attacker can inject malicious instructions into the `$TASK` argument, manipulating the LLM's behavior, overriding its safety mechanisms, or causing it to perform unintended actions. Sanitize or escape user-provided input (`$TASK`) before embedding it directly into LLM prompts. Consider passing the task as a structured data field to the LLM rather than directly injecting it into the prompt string, or use a templating mechanism that automatically escapes user input. | LLM | scripts/agent-safe.sh:140 | |
| HIGH | Excessive Filesystem Permissions The skill requests `filesystem:/Users` permission in its manifest. This grants overly broad access to the entire user directory, including sensitive configuration files, personal documents, and potentially credentials. This level of access is typically not required for repository management and significantly increases the attack surface. Restrict filesystem permissions to the minimum necessary scope. Instead of `/Users`, specify more granular paths relevant to the skill's operation, such as `$HOME/Documents/github` or a dedicated skill workspace directory. | LLM | SKILL.md:5 | |
| HIGH | Command Injection via `rp-cli -e` Argument The `scripts/rp.sh` script directly passes the user-controlled `$CMD` argument to `rpflow.sh exec -e "$CMD"`. This allows an attacker to inject arbitrary commands into the `rp-cli` interpreter, potentially performing unintended actions within the Repo Prompt application, such as modifying files, changing workspace settings, or executing other tools. While this is an injection within the `rp-cli` domain, it still represents a significant security risk. Avoid directly concatenating user input into command strings. If `rp-cli` commands must be constructed from user input, implement strict validation and escaping of all components. Ideally, provide a more structured interface for `rp-cli` operations rather than a raw command string. | LLM | scripts/rp.sh:60 | |
| HIGH | Arbitrary File Write via `--out` Argument Multiple scripts (`agent-safe.sh`, `export-prompt.sh`, `plan-export.sh`, `context-flow.sh`) accept a user-controlled `--out FILE` argument, which is then used to specify the output path for generated content. This allows an attacker to write to arbitrary file paths on the system, potentially overwriting critical system files, configuration files, or exfiltrating data by writing it to an attacker-controlled location. This risk is exacerbated by the `filesystem:/Users` permission. Restrict output file paths to a designated, isolated directory (e.g., a temporary directory or a skill-specific output folder). Implement strict validation to ensure that the output path does not escape this designated directory. | LLM | scripts/agent-safe.sh:120 | |
| HIGH | Data Exfiltration via Arbitrary File Read in Report Summary The `scripts/report-summary.sh` script takes arbitrary file paths as arguments and reads their content using `python3`'s `p.read_text()`. If an attacker can control the arguments passed to this script, they can force it to read any file on the system (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and print its contents to standard output, leading to data exfiltration. This is particularly concerning given the `filesystem:/Users` permission. Implement strict validation for file paths passed to `report-summary.sh`. Ensure that only files within a designated, skill-controlled output directory can be read. Avoid reading arbitrary user-specified file paths. | LLM | scripts/report-summary.sh:29 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | SKILL.md:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | scripts/bootstrap-github.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | scripts/rpflow.sh:4 | |
| MEDIUM | Untrusted `PYTHONPATH` and External Repository Dependency The `scripts/rpflow.sh` script relies on the `RPFLOW_REPO` environment variable (defaulting to `$HOME/Documents/github/repoprompt-rpflow-cli`) and sets `PYTHONPATH=src` before executing `python3 -m rpflow.cli`. If an attacker can compromise the `repoprompt-rpflow-cli` repository or manipulate the `RPFLOW_REPO` environment variable to point to a malicious directory, they could inject and execute arbitrary Python code. Pin the `rpflow` dependency to a specific version or commit hash. Validate the integrity of the `RPFLOW_REPO` before execution (e.g., by checking a cryptographic hash). Ensure `RPFLOW_REPO` cannot be easily overridden by untrusted input. Consider packaging `rpflow` as a proper Python dependency rather than relying on `PYTHONPATH` and a local clone. | LLM | scripts/rpflow.sh:66 |
Scan History
Embed Code
[](https://skillshield.io/report/16d10b1c083789f9)
Powered by SkillShield