Security Audit
ru
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
ru received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Arbitrary Command Execution via Repository Hooks.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ru/SKILL.md:477 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/ru/SKILL.md:477 | |
| CRITICAL | Arbitrary Command Execution via Repository Hooks The `ru agent-sweep` feature allows repositories to define `pre_hook` and `post_hook` commands within a `.ru-agent.yml` file. These hooks are explicitly designed to be executed by `ru` during the agent sweep process. If a malicious actor can commit a `.ru-agent.yml` file containing arbitrary shell commands to a repository, `ru` will execute these commands on the host system with the permissions of the `ru` process. This constitutes a critical command injection vulnerability, enabling potential data exfiltration, credential harvesting, or full system compromise. Do not execute arbitrary commands from untrusted repository content. Implement a strict allowlist for commands that can be run as hooks, or execute hooks within a highly sandboxed and isolated environment (e.g., a container with minimal privileges and no network access). | Static | SKILL.md:200 | |
| HIGH | Prompt Injection via Untrusted Repository Content to AI Agents The "AI-Assisted Review System" and "Agent Sweep" features involve AI agents processing untrusted content from GitHub repositories, including issues, pull requests, and uncommitted changes. A malicious actor could craft specific instructions or data within these untrusted inputs (e.g., a malicious commit message, PR description, or `extra_context` in `.ru-agent.yml`) to manipulate the AI agent's behavior. This could lead to the agent performing unintended actions, exfiltrating data, or misinterpreting instructions, potentially bypassing security guardrails. Implement robust input sanitization and validation for all untrusted content fed to AI agents. Employ strict guardrails, output filtering, and human-in-the-loop verification for AI agent actions. Consider running AI agents in isolated, least-privilege environments with limited access to sensitive operations or data. | LLM | SKILL.md:70 | |
| HIGH | Insecure Installation Method (`curl | bash`) The recommended installation method involves directly piping a script from a remote GitHub URL (`https://raw.githubusercontent.com/Dicklesworthstone/repo_updater/main/install.sh`) to `bash`. This `curl | bash` pattern is a significant supply chain risk. If the remote repository or the specific `install.sh` file is compromised, an attacker could execute arbitrary code on the user's system during installation, leading to a full system compromise. Recommend a more secure installation method. Users should be advised to download the script, review its contents for malicious code, and then execute it locally. Alternatively, provide installation via a trusted package manager with cryptographic verification. | Static | SKILL.md:320 | |
| MEDIUM | Potential Command Injection in `ru add` with Untrusted Input The `ru add` command allows users to specify repository owners, names, branches, and custom aliases (e.g., `ru add owner/repo@branch as custom-name`). If these user-provided strings are not rigorously sanitized or properly quoted when used in underlying shell commands (e.g., `git clone`, `git -C`), a malicious user could inject shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``) to execute arbitrary commands. While the documentation doesn't explicitly detail sanitization, this is a common oversight in Bash CLIs. Ensure all user-provided strings used in shell commands are rigorously sanitized or properly quoted (e.g., using `printf %q` in Bash) to prevent shell metacharacter interpretation. | Static | SKILL.md:105 |
Scan History
Embed Code
[](https://skillshield.io/report/a6e69b9d72b13063)
Powered by SkillShield