Trust Assessment
agentic-calling received a trust score of 37/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 1 high, 4 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Command Injection via Python String Literal.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Python String Literal The `make-call.sh` script constructs a Python command using `python3 -c "..."` where the `$TWIML` variable is directly embedded into a triple-quoted string literal. If the `$MESSAGE` parameter (which forms part of `$TWIML`) contains the sequence `'''` (three single quotes), it can break out of the Python string literal and inject arbitrary Python code. This injected code can then execute shell commands, leading to full command injection on the host system. Sanitize the `$MESSAGE` and `$VOICE` parameters to prevent them from containing characters that could break out of the Python string literal. A safer approach would be to pass the `$TWIML` content as a standard input or as a separate argument to a Python script, rather than embedding it directly into the command string. | LLM | scripts/make-call.sh:100 | |
| HIGH | Arbitrary File Write via --output Parameter The `call-status.sh` script allows users to specify an arbitrary file path for downloading call recordings using the `--output` parameter. An attacker could exploit this vulnerability to write to sensitive system files (e.g., `/etc/passwd`, `~/.ssh/authorized_keys`) or overwrite critical data anywhere on the filesystem. This could lead to privilege escalation, data corruption, or denial of service. Implement strict sanitization for the `$OUTPUT_FILE` parameter. Ensure it only contains a valid filename (e.g., disallow path separators like `/` or `..`) and/or restrict the output directory to a safe, non-sensitive, and ideally temporary location where the agent has limited permissions. | LLM | scripts/call-status.sh:90 | |
| MEDIUM | Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/kellyclaudeai/agentic-calling/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/kellyclaudeai/agentic-calling/scripts/call-status.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/kellyclaudeai/agentic-calling/scripts/make-call.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/kellyclaudeai/agentic-calling/scripts/sms-notify.sh:8 | |
| INFO | Unpinned System Dependencies The `skill.json` manifest specifies system dependencies (`jq`, `curl`, `python3`) using minimum versions (e.g., `1.6+`, `7.0+`, `3.6+`) rather than pinned exact versions or specific major/minor versions. While common for system tools, this practice introduces a supply chain risk, as future updates to these tools might introduce breaking changes, vulnerabilities, or unexpected behavior that could affect the skill's operation or security without explicit review. Pin system dependencies to specific major or minor versions (e.g., `jq: "1.6"`, `curl: "7.x"`) or specify a maximum compatible version to prevent unintended upgrades that could introduce vulnerabilities or break functionality. | LLM | skill.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/734ed69b091889bf)
Powered by SkillShield