Security Audit
csctf
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
csctf received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 10 critical, 1 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Access and temporary storage of browser session cookies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/csctf/SKILL.md:25 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/csctf/SKILL.md:376 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/csctf/SKILL.md:379 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/csctf/SKILL.md:382 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/csctf/SKILL.md:385 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/csctf/SKILL.md:25 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/csctf/SKILL.md:376 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/csctf/SKILL.md:379 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/csctf/SKILL.md:382 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/csctf/SKILL.md:385 | |
| HIGH | Access and temporary storage of browser session cookies The skill explicitly states it copies Chrome session cookies to a temporary profile for scraping Claude.ai. While described as temporary and safe, this grants the tool access to highly sensitive user authentication data. A compromised or malicious version of the tool could exfiltrate these cookies, leading to account takeover. Users should be fully aware of this high-trust operation. The tool's implementation should be thoroughly audited to ensure cookies are handled with maximum security, isolated, and immediately purged. Consider alternative authentication methods if possible that do not require direct cookie access. | Static | SKILL.md:68 | |
| MEDIUM | Unpinned `curl | bash` installation method The recommended quick start installation method uses `curl -fsSL ... | bash` without pinning a specific version. This means the script executed could change at any time on the remote server, introducing a supply chain risk if the repository or script is compromised. While the document later shows how to pin a version, the primary quick start does not. Always recommend and default to a version-pinned installation method (e.g., `VERSION=v1.0.0 curl -fsSL ... | bash`) to ensure reproducibility and reduce the risk of unexpected changes. Provide checksum verification as a default part of the installation instructions. | Static | SKILL.md:40 | |
| MEDIUM | Capability to push to arbitrary GitHub repositories The skill includes functionality to publish generated content to GitHub Pages, which involves committing and pushing to a specified GitHub repository. This capability, while relying on the `gh` CLI for authentication, means the tool can initiate modifications to remote repositories. A compromised tool could be used to push malicious content or exfiltrate data to attacker-controlled repositories. Users should be fully aware of the implications of granting a tool the ability to push to their GitHub repositories. The tool should implement strict validation on target repository names and branches. Consider adding explicit user confirmation for each push operation, even when `--yes` is used, for critical actions. | Static | SKILL.md:160 |
Scan History
Embed Code
[](https://skillshield.io/report/15988d68e56b3b84)
Powered by SkillShield