Security Audit
karmiphuc/openclaw-docs-skill:root
github.com/karmiphuc/openclaw-docs-skillTrust Assessment
karmiphuc/openclaw-docs-skill:root received a trust score of 34/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 0 critical, 3 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Potential Command Injection via CLI Arguments, Explicit Exposure of Sensitive Configuration File Paths.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 34/100, indicating areas for improvement.
Last analyzed on May 1, 2026 (commit 28b380c9). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via CLI Arguments The skill provides numerous examples of `openclaw` commands that accept user-supplied arguments (e.g., `--target`, `--message`, `--channel`, `--token`, `--workspace`, `--name`). If the host LLM constructs these commands by directly embedding untrusted user input without proper sanitization, an attacker could inject shell metacharacters or malicious commands. This could lead to arbitrary code execution on the host system. Implement robust input validation and sanitization for all user-supplied arguments before constructing and executing shell commands. Consider using a dedicated command execution library that handles argument escaping automatically, or explicitly quote/escape all user inputs. | Static | SKILL.md:18 | |
| HIGH | Explicit Exposure of Sensitive Configuration File Paths The skill explicitly lists commands to view the contents of potentially sensitive configuration and log files, such as `~/.openclaw/openclaw.json`, `~/.openclaw/exec-approvals.json`, `~/.openclaw/logs/gateway.log`, and `~/.openclaw/openclaw.json.bak`. If an LLM is prompted to execute these `cat` commands, it could inadvertently exfiltrate sensitive data, including API keys, tokens, user settings, or execution policies. Avoid providing direct `cat` commands for sensitive files. Instead, if specific configuration values need to be accessed, use `openclaw config get <path>` which can be more controlled. Implement strict access controls and logging for any attempts to read sensitive files. | Static | SKILL.md:189 | |
| HIGH | Excessive Permissions and System-Level Operations The `openclaw` CLI, and by extension this skill, demonstrates capabilities that require significant system privileges. These include installing system services (`openclaw onboard --install-daemon`, `openclaw gateway install`), performing deep security audits with auto-fix (`openclaw security audit --deep --fix`), and executing full system resets (`openclaw reset --scope full --yes`). Such broad access increases the potential impact of any successful command injection or malicious prompt, allowing an attacker to modify system configurations, install services, or delete critical data. Review the necessity of all high-privilege operations. If possible, restrict the skill's execution environment to a sandboxed or least-privilege context. Implement explicit user confirmation or approval mechanisms for critical system-modifying commands. | Static | SKILL.md:100 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | references/update-skill.sh:9 | |
| MEDIUM | Local Storage of Sensitive Configuration and State Data The `references/update-skill.sh` script explicitly writes the `openclaw` configuration (`local-config.json`) and local state information (version, gateway port, agents, channels) to files within the skill's directory (`$SKILL_DIR/references/local-config.json` and `$SKILL_DIR/references/local-state.md`). While intended for internal use, this centralizes potentially sensitive data, making it a target for exfiltration if the skill's directory is compromised or if the LLM is prompted to read these files. Minimize the storage of sensitive data in plain text files within the skill's directory. If necessary, ensure these files are protected with appropriate file system permissions. Consider encrypting sensitive portions of the stored data. Regularly audit what information is being stored and if it's truly necessary. | Static | references/update-skill.sh:34 | |
| MEDIUM | Unverified External Resource Downloads The `references/update-skill.sh` script downloads content from external URLs (`https://docs.openclaw.ai/cli` and `https://docs.openclaw.ai/llms.txt`) using `curl`. While these are official OpenClaw domains, any compromise of these external resources could lead to the skill downloading and potentially processing malicious content. There are no integrity checks (e.g., checksums, GPG signatures) on the downloaded files, making the skill vulnerable to supply chain attacks if the external server is compromised. Implement integrity checks (e.g., SHA256 checksums) for downloaded files to verify their authenticity. Consider pinning specific versions or hashes of external resources. If possible, host critical resources locally or use trusted content delivery networks with strong security guarantees. | Static | references/update-skill.sh:22 |
Scan History
Embed Code
[](https://skillshield.io/report/4c331d8981d71f30)
Powered by SkillShield