Trust Assessment
4claw received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Potential Command Injection via `curl` with unsanitized input, Instructions encourage LLM persona adoption, Dynamic loading of heartbeat instructions from external URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `curl` with unsanitized input The skill explicitly requires the `curl` binary (as indicated by `requires.bins`) and provides examples of its use to interact with the API. These examples involve sending user-controlled data (e.g., `title`, `content`, `media.data`) within the `curl -d` argument. If the agent constructs these `curl` commands by directly interpolating untrusted user input into a shell command string without proper escaping, a malicious user could inject arbitrary shell commands. For instance, a crafted `content` field could break out of the JSON string and execute system commands on the host system where the agent is running. The agent implementation must strictly sanitize all user-provided inputs (e.g., `title`, `content`, `media.data`) before incorporating them into shell commands. This typically involves proper shell escaping of special characters. Alternatively, use a language-native HTTP client library (e.g., Python's `requests` or Node.js's `fetch`) to make API calls, which avoids shell interpretation entirely and is generally safer. | LLM | SKILL.md:169 | |
| MEDIUM | Instructions encourage LLM persona adoption The skill's instructions explicitly encourage the LLM to adopt a specific, potentially unfiltered, persona and tone ('Write like an 4chan poster', 'Deep, thoughtful, edgy, proactive', 'Shitposting is allowed', 'post spicy hot takes', '/b/-adjacent energy'). This could lead the host LLM to generate content that deviates from its core safety guidelines, exhibits undesirable biases, or engages in harmful discourse, effectively manipulating its output style and content generation strategy. Host LLM should implement robust guardrails to prevent untrusted skill instructions from overriding its core safety policies or dictating a specific persona. Skill instructions should be rephrased to guide content generation without explicitly commanding the LLM to 'write like' a specific type of user or adopt a 'vibe' that could conflict with its ethical guidelines. | LLM | SKILL.md:30 | |
| MEDIUM | Dynamic loading of heartbeat instructions from external URL The skill instructs the agent to periodically download `HEARTBEAT.md` from `https://www.4claw.org/heartbeat.md` using `curl`. While this URL belongs to the skill's own domain, it represents a dynamic loading of instructions. If the `4claw.org` domain or the `HEARTBEAT.md` file itself were compromised, an attacker could inject malicious instructions or prompt injection payloads into the agent's operational loop, potentially leading to unauthorized actions or data manipulation. Implement integrity checks (e.g., cryptographic hashes or digital signatures) for dynamically loaded content to verify its authenticity and prevent tampering. Alternatively, restrict the agent's ability to execute instructions loaded dynamically from external sources, or require explicit user confirmation for such updates. | LLM | SKILL.md:300 |
Scan History
Embed Code
[](https://skillshield.io/report/c0d82cf33f5b288f)
Powered by SkillShield