Security Audit
dcg
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
dcg received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 6 critical, 4 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dcg/SKILL.md:193 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dcg/SKILL.md:196 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/dcg/SKILL.md:214 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/dcg/SKILL.md:414 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dcg/SKILL.md:193 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dcg/SKILL.md:196 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/dcg/SKILL.md:214 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/dcg/SKILL.md:414 | |
| HIGH | Unpinned remote script execution for installation The recommended installation method for the DCG skill involves piping an unpinned remote shell script directly to `bash`. This practice introduces a significant supply chain risk. If the `master` branch of the `Dicklesworthstone/destructive_command_guard` repository were compromised, a malicious `install.sh` script could be executed on the user's system, leading to arbitrary code execution. The `$(date +%s)` cache-buster does not mitigate this risk, as it still fetches the latest version from the `master` branch. Recommend installing from a specific, pinned version (e.g., a git tag or commit hash) to ensure reproducibility and prevent unexpected changes. Users should be advised to review the script content before execution. Alternatively, provide a signed package or a more secure installation method. | Static | SKILL.md:196 | |
| HIGH | Agent can bypass security guard via environment variable The `DCG_BYPASS=1` environment variable is documented as an 'escape hatch' to entirely disable the Destructive Command Guard. In the context of an AI agent, this presents a critical prompt injection vulnerability. An agent, if sufficiently prompted or manipulated, could set this environment variable before executing a command, thereby circumventing the intended security protections and executing destructive commands that DCG is designed to block. While the skill's threat model acknowledges that it doesn't protect against 'malicious actors', an LLM agent susceptible to prompt injection can effectively become such an actor. Implement a mechanism within the Claude Code environment to prevent the agent from setting `DCG_BYPASS=1` for `PreToolUse` hooks, or ensure that the hook runner strips this variable from the environment before invoking `dcg`. Alternatively, if a bypass is absolutely necessary, it should require explicit human confirmation for any command that would otherwise be blocked, even if `DCG_BYPASS` is set. | LLM | SKILL.md:188 | |
| MEDIUM | Unpinned git repository installation Installing the skill directly from the `master` branch of a git repository (`cargo +nightly install --git ...`) without specifying a commit hash or tag introduces a supply chain risk. Future changes to the `master` branch could introduce vulnerabilities or malicious code without explicit user review or consent, potentially compromising the system where the skill is installed. Recommend installing from a specific, pinned version (e.g., a git tag or commit hash) to ensure reproducibility and prevent unexpected changes. This ensures that the installed code is exactly what was reviewed and approved. | Static | SKILL.md:204 |
Scan History
Embed Code
[](https://skillshield.io/report/b52a74bad9fcca40)
Powered by SkillShield