Security Audit

abstract-onboard

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

abstract-onboard received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 0 critical, 4 high, 1 medium, and 0 low severity. Key findings include Arbitrary File Read via 'artifactPath', Arbitrary File Read via 'abiPath', Reliance on Highly Sensitive WALLET_PRIVATE_KEY.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

33%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
HIGH	Arbitrary File Read via 'artifactPath' The 'deploy-abstract.js' script uses 'fs.readFileSync' with 'artifactPath' taken directly from command-line arguments. An attacker can provide a path traversal sequence (e.g., '../../../../etc/passwd') to read arbitrary files on the system. Although the script attempts to parse the content as JSON, a parsing error could still reveal parts of the file, or the mere act of reading the file into memory could be exploited in a more complex attack. Implement strict validation for 'artifactPath' to ensure it refers to a file within an expected, non-sensitive directory (e.g., './artifacts/') and does not contain path traversal characters ('..', '/'). Consider using a library that sanitizes file paths.	LLM	scripts/deploy-abstract.js:29
HIGH	Arbitrary File Read via 'abiPath' The 'call-contract.js' script uses 'fs.readFileSync' with 'abiPath' taken directly from command-line arguments. Similar to 'deploy-abstract.js', an attacker can provide a path traversal sequence (e.g., '../../../../etc/shadow') to read arbitrary files on the system. The script attempts to parse the content as JSON, but an error could reveal sensitive information. Implement strict validation for 'abiPath' to ensure it refers to a file within an expected, non-sensitive directory (e.g., './abi/' or './artifacts/') and does not contain path traversal characters ('..', '/'). Consider using a library that sanitizes file paths.	LLM	scripts/call-contract.js:40
HIGH	Reliance on Highly Sensitive WALLET_PRIVATE_KEY Multiple scripts ('call-contract.js', 'create-agw.js', 'deploy-abstract.js', 'relay-bridge.js', 'swap-tokens.js', 'transfer.js') and the 'hardhat.config.js' file directly access 'process.env.WALLET_PRIVATE_KEY'. This private key grants full control over the associated blockchain wallet. While necessary for the skill's functionality, its direct use from an environment variable makes the agent highly vulnerable to compromise if the execution environment is not perfectly secured. Any successful prompt injection or command injection could lead to the exfiltration or misuse of this critical credential. Implement robust security measures for the agent's execution environment to protect 'WALLET_PRIVATE_KEY'. Consider using a secure secrets management system or hardware security module (HSM) instead of plain environment variables. Limit the scope of the private key to only the necessary operations and funds.	LLM	scripts/call-contract.js:50
HIGH	Arbitrary Contract Function Execution The 'call-contract.js' script allows the agent to call any function ('functionName') on any specified contract ('address') with arbitrary arguments ('functionArgs'). This grants the agent extremely broad and powerful control over blockchain assets and contract states via the 'WALLET_PRIVATE_KEY'. If an attacker can manipulate the 'address', 'functionName', or 'functionArgs' inputs to this skill, they could execute malicious transactions, drain funds, or compromise contract logic. When using this skill, the agent's internal logic must strictly validate and sanitize all inputs ('address', 'functionName', 'functionArgs') to prevent unintended or malicious contract interactions. Consider implementing an allow-list for specific contract addresses and function names that the agent is permitted to interact with.	LLM	scripts/call-contract.js:67
MEDIUM	Unpinned Dependencies in Installation Instructions The 'SKILL.md' and 'hardhat.config.js' provide installation instructions for various npm packages (e.g., 'ethers', 'zksync-ethers', 'viem', '@matterlabs/hardhat-zksync', '@abstract-foundation/agw-client') without specifying exact versions. Using unpinned dependencies (e.g., 'npm install package' instead of 'npm install package@1.2.3' or 'version: "latest"') can lead to non-deterministic builds and makes the skill vulnerable to supply chain attacks, such as dependency confusion or malicious updates to a package. Pin all dependencies to exact versions in a 'package.json' file. Use a lock file ('package-lock.json') to ensure deterministic installations. Regularly audit and update dependencies.	LLM	SKILL.md:105

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/46b7734e56b2f883.svg)](https://skillshield.io/report/46b7734e56b2f883)