Trust Assessment
advanced-calendar received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 8 critical, 8 high, 2 medium, and 2 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/toughworm/advanced-calendar/intent_handler.py:200 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/toughworm/advanced-calendar/intent_handler.py:284 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/toughworm/advanced-calendar/intent_handler.py:313 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/toughworm/advanced-calendar/openclaw_integration.py:184 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/toughworm/advanced-calendar/tests/test_basic.py:15 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/toughworm/advanced-calendar/tests/test_basic.py:31 | |
| CRITICAL | Shell Command Injection via 'eval' The `scripts/create-event-interactive.sh` script uses `eval` to execute a dynamically constructed command string. User-provided inputs such as `title`, `date`, `time`, `duration`, `location`, `description`, and `reminder` are directly embedded into this command string without sufficient sanitization. A malicious user can inject arbitrary shell commands by crafting input that breaks out of the quoted arguments, leading to remote code execution. Replace `eval $cmd` with a safer method of executing the Python script, such as `subprocess.run()` in Python with a list of arguments (not `shell=True`), or by ensuring all user inputs are strictly validated and escaped for shell execution. Avoid `eval` for user-controlled input. | LLM | scripts/create-event-interactive.sh:78 | |
| CRITICAL | Shell Command Injection via 'eval' The `scripts/parse-and-create-event.sh` script uses `eval` to execute a dynamically constructed command string. User-provided inputs such as `input`, `date`, `time`, `new_title`, `location`, `dur_input`, `reminder`, and `description` are directly embedded into this command string without sufficient sanitization. A malicious user can inject arbitrary shell commands by crafting input that breaks out of the quoted arguments, leading to remote code execution. Replace `eval $cmd` with a safer method of executing the Python script, such as `subprocess.run()` in Python with a list of arguments (not `shell=True`), or by ensuring all user inputs are strictly validated and escaped for shell execution. Avoid `eval` for user-controlled input. | LLM | scripts/parse-and-create-event.sh:160 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_daily_summary'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/toughworm/advanced-calendar/intent_handler.py:200 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'create_calendar_event'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/toughworm/advanced-calendar/intent_handler.py:284 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'list_calendar_events'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/toughworm/advanced-calendar/intent_handler.py:313 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'handle_followup'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/toughworm/advanced-calendar/openclaw_integration.py:184 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_create_and_list'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/toughworm/advanced-calendar/tests/test_basic.py:15 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_create_and_list'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/toughworm/advanced-calendar/tests/test_basic.py:31 | |
| HIGH | Excessive Permissions: `cron:add` The skill requests `cron:add` permission, which allows it to schedule arbitrary commands to run periodically. Combined with the command injection vulnerabilities found in the shell scripts (`create-event-interactive.sh`, `parse-and-create-event.sh`), an attacker could schedule persistent malicious commands on the host system. Review the necessity of `cron:add` permission. If required, ensure that any commands added to cron are strictly controlled and not influenced by untrusted user input. Implement robust input validation and sanitization for any parameters passed to cron commands. | LLM | package.json:26 | |
| HIGH | Excessive Permissions: Broad File System Access The skill requests broad `file:read` and `file:write` permissions without specifying a limited scope. While the Python script `scripts/calendar.py` appears to restrict its file operations to `~/.openclaw/calendar/events.json`, the broad permissions in `package.json` combined with command injection vulnerabilities could allow an attacker to read or write arbitrary files on the system. Restrict `file:read` and `file:write` permissions to the minimum necessary scope, ideally to a specific directory or file pattern (e.g., `file:read:~/.openclaw/calendar/*`). | LLM | package.json:24 | |
| MEDIUM | Potential Data Exfiltration via `message:send` The skill requests `message:send` permission, allowing it to send messages to external channels. If an attacker can achieve command injection (as identified) or prompt injection, they could potentially craft messages containing sensitive data read from the file system (via `file:read` permission) and exfiltrate it to an external channel. Ensure that all messages sent via `message:send` are strictly controlled and do not contain any user-controlled or sensitive data without proper sanitization and explicit user consent. Address underlying command and prompt injection vulnerabilities. | LLM | package.json:27 | |
| MEDIUM | Prompt Injection via Unsanitized LLM Responses The `openclaw_integration.py` script constructs responses for the host LLM using f-strings that directly embed user-controlled variables (e.g., `title`, `date`, `time`, `location`, `user_input`). If the host LLM processes these responses without sanitization, a malicious user could inject instructions into the LLM's subsequent turns, potentially manipulating its behavior or extracting information. Sanitize all user-controlled content before embedding it into responses that will be processed by the host LLM. Consider using a templating engine that automatically escapes output or explicitly escaping special characters relevant to the LLM's parsing. | LLM | openclaw_integration.py:43 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/toughworm/advanced-calendar/package.json | |
| LOW | Supply Chain Risk: Incorrect Script Paths Several shell scripts (`calendar.sh`, `check-reminders.sh`, `check-repeat-reminders.sh`, `reminders.sh`) reference Python scripts at `/home/ubuntu/.openclaw/workspace/calendar_app/` (e.g., `calendar_app.py`, `remind_user.py`). However, the provided Python files are located in `scripts/` or `integration/` within the skill's directory. This discrepancy suggests a misconfiguration or an incomplete skill package, which could lead to unexpected behavior or runtime errors. While not a direct security vulnerability, it indicates a potential for broken functionality or an attacker placing malicious files at the expected paths. Correct the script paths in the shell wrappers to point to the actual locations of the Python scripts within the skill package (e.g., `$(dirname "$0")/../integration/openclaw_integration.py` or similar relative paths). | LLM | scripts/calendar.sh:4 |
Scan History
Embed Code
[](https://skillshield.io/report/e34082474597f047)
Powered by SkillShield