Security Audit

agentledger

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agentledger received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Node lockfile missing, Arbitrary File Read via importPrivacyTransactions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

93%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Arbitrary File Read via importPrivacyTransactions The `cli.js` command `agentledger import privacy <filePath>` directly passes the user-provided `filePath` to the `ledger.importPrivacyTransactions` method. This method then attempts to read the file using `fs.readFile`. Since the `filePath` is not validated to be within the designated `workspace` directory or a specific subdirectory, an attacker could specify an arbitrary path (e.g., `/etc/passwd`, `../../.env`) to read sensitive files from the host system. The skill's `filesystem: ["read"]` permission enables this vulnerability. Implement path validation in `ledger.importPrivacyTransactions` to ensure that the provided `filePath` is resolved relative to the skill's designated workspace directory (e.g., `workspace/privacy`) and does not escape this boundary. For example, use `path.resolve()` and then verify the resolved path starts with the expected base directory.	LLM	cli.js:109
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/c-goro/agentledger/ledger.test.js:134
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/c-goro/agentledger/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f6aea50c42712c3d.svg)](https://skillshield.io/report/f6aea50c42712c3d)