Security Audit
cass
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
cass received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 8 critical, 4 high, 0 medium, and 0 low severity. Key findings include File read + network send exfiltration, Remote code execution: curl/wget pipe to shell, Sensitive path access: SSH key/config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/cass/SKILL.md:260 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/cass/SKILL.md:74 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/cass/SKILL.md:278 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/cass/SKILL.md:569 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/cass/SKILL.md:929 | |
| CRITICAL | Potential Arbitrary File Read via `cass view` and `cass expand` The `cass view` and `cass expand` commands are documented to accept arbitrary file paths (e.g., `/path/to/session.jsonl`). An AI agent, if maliciously prompted, could be instructed to use these commands to attempt to read sensitive files from the local filesystem (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). While `cass` is designed to process specific JSONL formats, it may still expose file contents in error messages or partial output, or simply confirm the existence and permissions of sensitive files. Implement strict path validation and sandboxing within the `cass` tool to restrict file access to only known, safe directories. Ensure that the tool's output for invalid file types does not inadvertently leak content. Consider using an allowlist for file extensions or directories that `cass` is permitted to access. | LLM | SKILL.md:42 | |
| CRITICAL | Potential Arbitrary File Write via `cass export` and `cass search --trace-file` The `cass export` command allows specifying an arbitrary output file path (`-o conversation.md`), and `cass search --trace-file` allows specifying a trace file path. An AI agent, if maliciously prompted, could be instructed to write sensitive data (e.g., search results containing credentials or private information) to an attacker-controlled location (e.g., a world-readable directory, or a network path if supported by the underlying OS/tool). It could also be used to overwrite critical system or user configuration files (e.g., `~/.bashrc`), leading to denial of service or further compromise. Implement strict path validation and sandboxing within the `cass` tool for output files. Restrict output paths to designated, secure directories or require explicit user confirmation for writes to sensitive locations. Prevent writing to network paths or system-critical files. | LLM | SKILL.md:120 | |
| CRITICAL | Excessive Permissions: Remote Data Exfiltration via `cass sources add` The `cass sources add` command allows configuring remote hosts and arbitrary local paths for synchronization via SSH/rsync. An AI agent, if maliciously prompted, could be instructed to add an attacker-controlled remote host and configure `cass` to sync sensitive local directories (e.g., `/`, `~/.ssh`, `/etc`) to that remote server. This represents a severe data exfiltration risk, as the tool is designed to facilitate broad data transfer capabilities. Implement robust authorization and user confirmation mechanisms for `cass sources add`. Restrict the `--path` argument to a predefined allowlist of safe directories or require explicit user approval for any path outside a default, sandboxed location. Ensure that SSH configuration is handled securely and does not expose private keys. | LLM | SKILL.md:195 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/cass/SKILL.md:260 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/cass/SKILL.md:74 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/cass/SKILL.md:278 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/cass/SKILL.md:569 |
Scan History
Embed Code
[](https://skillshield.io/report/c798f981110f3ab1)
Powered by SkillShield