Security Audit

agentvibesclawdbot

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agentvibesclawdbot received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 26 findings: 12 critical, 10 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Hidden network beacons / undisclosed telemetry.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

83%

Behavioral Risk Signals

Network Access

11 findings

Filesystem Write

16 findings

Shell Execution

17 findings

Dynamic Code

2 findings

Excessive Permissions

17 findings

Security Findings26

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:315
CRITICAL	Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/paulpreibisch/agentvibesclawdbot/setup.sh:304
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:42
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:47
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:56
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:181
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/setup.sh:40
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/setup.sh:43
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/setup.sh:44
CRITICAL	File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/paulpreibisch/agentvibesclawdbot/setup.sh:49
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:315
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/paulpreibisch/agentvibesclawdbot/setup.sh:304
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Manifest	skills/paulpreibisch/agentvibesclawdbot/setup.sh:149
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:42
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:47
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:56
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:181
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/setup.sh:40
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/setup.sh:43
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/setup.sh:44
HIGH	Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/paulpreibisch/agentvibesclawdbot/setup.sh:49
HIGH	Missing Base64 Decode Undermines Command Injection Prevention The `local-gen-tts.sh` script explicitly states it uses base64 encoding to prevent command injection when sending text to the remote device. However, the `agentvibes-play.sh` script, which is installed on the remote device by `setup.sh` and receives this base64 encoded text, fails to decode it before passing it to the internal `agentvibes` `play-tts.sh` script. This means the downstream script will receive base64 encoded text instead of plain text. This undermines the stated security measure and creates a potential command injection vulnerability if the internal `agentvibes` script (which is not provided in this context) were to decode the text and then process it in an insecure manner (e.g., using `eval` or unquoted execution). The skill's setup is responsible for ensuring the arguments are correctly handled throughout the chain. Modify the `agentvibes-play.sh` script to decode the base64 encoded text before passing it to the downstream `play-tts.sh` script. For example, add `TEXT=$(printf '%s' "$TEXT" \| base64 -d)` after `TEXT="$1"`.	LLM	setup.sh:194
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/paulpreibisch/agentvibesclawdbot/SKILL.md:1
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/paulpreibisch/agentvibesclawdbot/setup.sh:19
LOW	Sed Delimiter Injection in Setup Script The `sed` command used to replace the `REPLACEME_WORKSPACE` placeholder in the `play-tts.sh` script uses `\|` as a delimiter. If the `$WORKSPACE` variable (which is not regex validated) contains the `\|` character, the `sed` command will become syntactically incorrect and fail. This would prevent the skill from being set up correctly, leading to a denial of service for the installation process. Either validate the `$WORKSPACE` variable to ensure it does not contain `\|` or other `sed` metacharacters, or escape the `$WORKSPACE` variable for `sed` before using it in the replacement string. A more robust approach is to use a delimiter for `sed` that is unlikely to appear in paths, such as a null byte (if supported by the `sed` version) or a very unusual character sequence, or to use `printf %s "$WORKSPACE" \| sed ...` to ensure proper escaping.	LLM	setup.sh:169
INFO	Reliance on Global NPM Package for Core Functionality The skill's setup process involves installing the `agentvibes` package globally via `npm install -g agentvibes`. While this is a common practice for Node.js tools, it introduces a supply chain risk. The security of the skill is dependent on the integrity and security of the `agentvibes` package and its dependencies. A compromise in the `agentvibes` package or its upstream dependencies could lead to malicious code execution on the host system. While inherent to using third-party packages, consider measures like pinning exact dependency versions, using package integrity checks (e.g., `npm audit`), and regularly reviewing the `agentvibes` package for known vulnerabilities. For critical applications, consider vendoring dependencies or using a private package registry with stricter controls.	LLM	setup.sh:90

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/97b1b4e5adf923a8.svg)](https://skillshield.io/report/97b1b4e5adf923a8)