Security Audit

github

github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations

AI SkillCommit c7bd8e0f6900

CRITICAL

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

github received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 5 findings: 2 critical, 3 high, 0 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: SSH key/config, Potential for Command Injection via gh CLI arguments.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The static_code_analysis layer scored lowest at 25/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

25%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

3 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

4 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-xq4680wk/repo/skills/github/SKILL.md:342
CRITICAL	Potential for Command Injection via gh CLI arguments The skill exposes a wide range of GitHub CLI commands, many of which accept user-controlled arguments. If an LLM constructs these commands using untrusted input without proper sanitization, it could lead to command injection. Specifically, the `gh api` command allows arbitrary API calls, including GraphQL queries and POST requests with custom bodies, which could be exploited to execute malicious logic or manipulate GitHub resources. Other commands like `gh repo create`, `gh issue create`, `gh pr create`, `gh workflow run`, `gh release create`, `gh gist create`, `gh search`, `gh label create`, `gh ssh-key add`, `gh gpg-key add`, `gh secret set`, `gh variable set`, `gh extension install`, `gh alias set`, and `gh config set` are also vulnerable if their arguments are not properly validated. Implement robust input validation and sanitization for all arguments passed to `gh` commands. Avoid directly embedding untrusted user input into command strings. For `gh api`, restrict its usage or carefully validate the API endpoint, method, and body to prevent arbitrary API calls. Consider using a more constrained GitHub API client if only specific operations are needed.	Unknown	SKILL.md:1
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-xq4680wk/repo/skills/github/SKILL.md:342
HIGH	Excessive Permissions granted by full gh CLI exposure The skill exposes the full functionality of the `gh` CLI, granting the agent the same broad permissions as the authenticated user. This includes the ability to create, delete, modify, and read almost any resource on GitHub (repositories, issues, pull requests, workflows, releases, gists, secrets, variables, SSH keys, GPG keys, extensions). If the agent is compromised or misused, this excessive level of access could lead to significant data loss, unauthorized modifications, or complete account takeover. Implement a principle of least privilege. If possible, restrict the `gh` commands available to the agent to only those strictly necessary for its intended function. Consider using a dedicated GitHub user or token with minimal required permissions. For critical operations, require human approval or multi-factor authentication. Implement strict access controls around the agent's execution environment.	Unknown	SKILL.md:1
HIGH	Potential for Data Exfiltration via gh CLI commands The skill provides commands that can be used to exfiltrate sensitive data from GitHub. The `gh api` command is particularly dangerous as it allows arbitrary API calls, enabling an attacker to read private repository content, issue comments, user data, and other sensitive information accessible via the GitHub API. While `gh secret list` and `gh variable list` only show names, they can be used for reconnaissance to identify targets for further exfiltration. An agent could also be tricked into using `gh gist create` or `gh repo create` to publish sensitive local files or GitHub data publicly. Restrict the agent's ability to use `gh api` or implement strict validation on its arguments. Monitor agent activity for unusual API calls or attempts to access sensitive data. Implement data loss prevention (DLP) mechanisms. Ensure that the GitHub token used by the agent has the minimum necessary read permissions and no write/delete permissions unless absolutely required.	Unknown	SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/13b0c3712bf8db3c.svg)](https://skillshield.io/report/13b0c3712bf8db3c)