Security Audit
cm
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
cm received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 2 high, 2 medium, and 2 low severity. Key findings include File read + network send exfiltration, Remote code execution: curl/wget pipe to shell, Sensitive path access: AI agent config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 24/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/cm/SKILL.md:66 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/cm/SKILL.md:794 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/cm/SKILL.md:66 | |
| HIGH | Potential Command Injection via Git Pre-Commit Hook Installation The skill provides a command `cm guard --git` to install a Git pre-commit hook. This involves writing executable content to the `.git/hooks/pre-commit` file within a repository. If the skill itself is compromised, or if the content it writes to this hook can be influenced by untrusted input (e.g., from a malicious project-level configuration file like `.cass/traumas.jsonl` or `.cass/config.json`), it could lead to arbitrary command execution every time a Git commit operation is performed in that repository. This grants the skill significant and persistent control over the user's repository actions. Ensure that the content written to the Git pre-commit hook is strictly controlled, hardcoded, and cannot be influenced by any user-provided or repository-specific configuration. Implement robust validation and sanitization for any parameters that might indirectly affect the hook's content. Consider requiring explicit user confirmation for hook installation. | Static | SKILL.md:260 | |
| MEDIUM | Potential Data Exfiltration/Credential Harvesting from Session Logs The skill processes 'Raw session logs from all agents' and exposes 'historySnippets' in its output. While the documentation mentions 'Secret Sanitization' for API keys, GitHub tokens, and other secrets, the effectiveness of this sanitization is critical. If the sanitization process is incomplete, flawed, or can be bypassed, sensitive data from these logs could be exposed in the `cm context` output or potentially exfiltrated, especially if 'cross-agent enrichment' or 'remoteCass' features are enabled and data is shared across systems or agents. The risk lies in the implementation details of the sanitization. Implement comprehensive and rigorously tested secret sanitization for all processed session logs and any data exposed via `historySnippets`. Ensure that the sanitization covers all known secret patterns and is resilient to obfuscation attempts. Provide clear documentation on the scope and limitations of the sanitization. Regularly audit the sanitization logic for potential bypasses. | Static | SKILL.md:39 | |
| MEDIUM | Risk of ReDoS or Command Injection via Trauma Guard Patterns The 'Trauma Guard' safety system allows users to define patterns (e.g., via `cm trauma add` or in `traumas.jsonl` files) to block potentially dangerous commands. If these patterns are interpreted as regular expressions, a maliciously crafted pattern could lead to a Regular Expression Denial of Service (ReDoS) attack, consuming excessive resources and potentially freezing the skill or the system. Furthermore, depending on the underlying matching engine, there's a theoretical risk of command injection if the pattern language allows for command substitution or execution within the matching context. This is particularly concerning for project-level `.cass/traumas.jsonl` files which could be controlled by an attacker. Ensure that trauma patterns are validated and sanitized to prevent ReDoS vulnerabilities. If patterns are regex-based, use a safe regex engine or implement strict limits on complexity. If patterns are used in any execution context, ensure they are properly escaped and do not allow for command substitution. Clearly define the syntax and capabilities of the pattern language and ensure it's as restrictive as possible for security-critical functions. | Static | SKILL.md:280 | |
| LOW | Potential Prompt Injection via User Input to LLMs The skill integrates with LLMs for 'Reflector' and 'Validator' stages and accepts user input for various commands, such as task descriptions (`cm context "<your task>"`) and feedback reasons (`cm mark ... --reason "..."`). If this user-provided text is directly incorporated into LLM prompts without robust sanitization or escaping, it could enable prompt injection attacks. An attacker could manipulate the LLM's behavior, extract sensitive information, or generate unintended outputs by crafting malicious input strings. Implement strict sanitization and escaping for all user-provided input before it is passed to an LLM. Use techniques like input validation, whitelisting, and explicit prompt templating to separate user input from system instructions. Consider using LLM-specific input sanitization libraries or frameworks. | LLM | SKILL.md:137 | |
| LOW | Supply Chain Risk via Configurable Embedding Model The skill's configuration allows specifying an `embeddingModel` (e.g., `"Xenova/all-MiniLM-L6-v2"`). If an attacker can modify the `config.json` file (e.g., by committing a malicious `.cass/config.json` to a project repository), they could potentially point to a malicious or compromised embedding model or library. Depending on how the model is loaded and executed, this could introduce a supply chain risk, leading to arbitrary code execution or data manipulation when the skill attempts to load or use the specified model. Restrict the `embeddingModel` configuration to a predefined whitelist of trusted models or sources. Implement strong integrity checks (e.g., cryptographic hashes) for downloaded models. Ensure that model loading mechanisms are sandboxed or isolated to prevent arbitrary code execution, even if a malicious model is loaded. | Static | SKILL.md:406 |
Scan History
Embed Code
[](https://skillshield.io/report/4f6665034c42d9a0)
Powered by SkillShield