Security Audit
oliveskin/openclaw-skill-tinman:skills/tinman
github.com/oliveskin/openclaw-skill-tinmanTrust Assessment
oliveskin/openclaw-skill-tinman:skills/tinman received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 6 critical, 4 high, 5 medium, and 0 low severity. Key findings include System prompt override / policy bypass, Persistence / self-modification instructions, File read + network send exfiltration.
The analysis covered 4 layers: dependency_graph, static_code_analysis, manifest_analysis, llm_behavioral_safety. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 96faf7a2). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | System prompt override / policy bypass Ignore/disregard previous instructions pattern Remove or rewrite any instructions that attempt to override system behavior. Legitimate skills should not contain phrases like 'ignore previous instructions' or 'new system prompt'. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:214 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/tinman_runner.py:353 | |
| CRITICAL | Persistence / self-modification instructions Windows registry Run key / hidden PowerShell Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/tinman_runner.py:332 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:31 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:206 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:207 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_rsa'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:31 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_rsa'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:206 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_rsa'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/SKILL.md:207 | |
| HIGH | Data Exfiltration via WebSocket Gateway The `/tinman watch` command accepts a `--gateway` argument that allows connecting the monitoring stream to an arbitrary WebSocket URL. Since the tool analyzes sensitive session history, tool outputs, and potential security findings, an attacker could coerce the agent (via prompt injection) to execute this command with a malicious URL, thereby exfiltrating confidential session data to an external server. This contradicts the privacy claim that 'No session data sent externally'. Restrict the `--gateway` argument to a strict allowlist of trusted domains or localhost only. Do not allow the LLM or user input to specify arbitrary external URLs for the monitoring stream. | Unknown | SKILL.md:108 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/tinman_runner.py:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'AgentTinman>=0.2.1' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'tinman-openclaw-eval>=0.3.2' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pyyaml>=6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Unknown | /tmp/skillscan-clone-wreboqhj/repo/skills/tinman/requirements.txt:3 | |
| MEDIUM | Potential Credential Exposure in Sweep Reports The `/tinman sweep` command executes synthetic attack probes, including `tool_exfil` which targets SSH keys and credentials. If these probes are successful and the tool logs the actual content of the accessed files (e.g., private keys) into the report file (`tinman-sweep.md`), subsequent reading of this report by the agent would expose these plaintext credentials in the context window/logs. Ensure that the `tinman` library and runner explicitly redact sensitive data (secrets, keys, tokens) from generated reports, logging only the existence/accessibility of the files rather than their contents. | Unknown | SKILL.md:130 |
Scan History
Embed Code
[](https://skillshield.io/report/fa3ac1e80b9be239)
Powered by SkillShield