Trust Assessment
ai-bill-intelligence received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 0 critical, 7 high, 3 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 11/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:48 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:58 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:59 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:86 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:103 | |
| HIGH | Default session path requires root access and allows arbitrary file reading via environment variable The `collector.js` script attempts to read session data from `/root/.openclaw/agents/main/sessions/sessions.json` by default. This path implies the skill expects to run with root privileges, which is an excessive permission for a billing intelligence skill. Furthermore, the `SESSION_PATH` can be overridden by the `OPENCLAW_SESSIONS` environment variable. If an attacker can control this environment variable, they could direct the skill to read arbitrary sensitive files on the system, leading to data exfiltration. 1. Avoid hardcoding paths that require root privileges. The skill should operate with the least privilege necessary. 2. Reconsider the default location for session files to a user-level directory (e.g., `~/.openclaw/...`). 3. Implement strict validation or sanitization for environment variables that define file paths to prevent arbitrary file access. If the skill must read session data, ensure it's from a well-defined, non-root, and secure location. | LLM | collector.js:5 | |
| HIGH | Sensitive usage data exposed via unauthenticated API endpoint The `server.js` application exposes the `dist/usage.json` file, which contains real-time AI spending, remaining balances, and token usage statistics, through an unauthenticated API endpoint (`/api/usage`). Any entity with network access to the server (defaulting to `localhost:8003`) can retrieve this sensitive financial information without any form of authentication or authorization. The redirect from `/usage_live.json` also exposes this data. 1. Implement robust authentication and authorization mechanisms for the `/api/usage` endpoint. Only authorized users should be able to access this sensitive financial data. 2. Consider encrypting or hashing sensitive data if it must be stored or transmitted. 3. Ensure the web server is not exposed to the public internet unless absolutely necessary and secured appropriately. | LLM | server.js:17 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:1 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-clawhub/dist/assets/main.js:37 | |
| MEDIUM | Unpinned npm dependency version Dependency 'express' is not pinned to an exact version ('^4.18.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/fumarole16-afk/ai-bill-clawhub/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/fumarole16-afk/ai-bill-clawhub/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/3c04b8a5c4c13c8e)
Powered by SkillShield