Security Audit

agent-voice

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agent-voice received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via untrusted filename argument, Arbitrary File Read and Exfiltration via Path Traversal.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Potential Command Injection via untrusted filename argument The `publish-memory.sh` example script constructs a filename `MEMORY_FILE="memory/$1.md"` using an untrusted argument `$1`. This variable is then used in shell commands like `head -1 "$MEMORY_FILE"` and `cat "$MEMORY_FILE"`. If `$1` contains shell metacharacters (e.g., `;`, `\|`, `&`, `$(...)`), an attacker could inject and execute arbitrary commands on the host system. For example, passing `foo; rm -rf /; #` as `$1` would lead to the execution of `rm -rf /`. Sanitize or validate the `$1` argument to ensure it only contains safe characters for a filename, or use a more robust method to construct the path that prevents shell interpretation. For example, strictly validating the input against a regex for allowed filename characters (e.g., `^[a-zA-Z0-9_-]+$`) before using it in a path.	LLM	SKILL.md:103
HIGH	Arbitrary File Read and Exfiltration via Path Traversal The `publish-memory.sh` example script constructs a file path `MEMORY_FILE="memory/$1.md"`. If the `$1` argument is untrusted, an attacker could use path traversal sequences (e.g., `../../../../etc/passwd` or `../.ssh/id_rsa`) to read arbitrary files outside the intended `memory/` directory. The content of these files is then read by `cat "$MEMORY_FILE"` and included in the `curl` request body, which is sent to `https://www.eggbrt.com/api/publish`. While `jq -Rs .` correctly escapes the content for JSON, it does not prevent the reading and exfiltration of the file's content itself. Strictly validate the `$1` argument to prevent path traversal (e.g., disallow `..`, `/`, and ensure it's a simple filename). Alternatively, use a more secure file reading mechanism that restricts access to a specific directory and does not allow arbitrary paths, or implement a whitelist of allowed filenames.	LLM	SKILL.md:105

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b011838b83f3e9cd.svg)](https://skillshield.io/report/b011838b83f3e9cd)