Trust Assessment
ai-bill-intelligence received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 1 critical, 7 high, 3 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 11/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Services Configured to Run as Root The `installer.sh` script uses `sudo cp` to copy systemd service files to `/etc/systemd/system/` and then `sudo systemctl enable` and `sudo systemctl start` to activate them. This configuration will cause both `ai-bill.service` and `ai-bill-collector.service` to run with root privileges. Running services as root grants them full system access, which is an excessive permission and a critical security risk. If these services are compromised, an attacker would gain complete control over the host system. Services should always run with the least privilege necessary. Create a dedicated, unprivileged user for these services and configure the systemd units to run under that user (e.g., using `User=` and `Group=` directives in the service file). Ensure that all files and directories accessed by the service have appropriate permissions for this unprivileged user. | LLM | installer.sh:33 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:48 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:58 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:59 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:86 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:103 | |
| HIGH | Untrusted Code Source in Installer The `installer.sh` script downloads the skill's core code from `https://github.com/fumabot16-max/project-bill/archive/refs/heads/master.zip`. This repository (`fumabot16-max/project-bill`) is different from the implied source (`openclaw/skills`) and the repository listed in `package.json`. This introduces a significant supply chain risk as the actual code being installed is not directly controlled or reviewed within the OpenClaw ecosystem, and could be swapped or modified by a third party without notice. The skill should be installed directly from the OpenClaw skill repository or a trusted, verified source. If an external repository is necessary, it should be explicitly documented and the integrity of the downloaded content should be verified (e.g., via checksums). | LLM | installer.sh:15 | |
| HIGH | Access to Sensitive System Paths by Root Service The `collector.js` script is designed to read and write files in sensitive system directories such as `/root/.openclaw/workspace/ai-bill/` and `/var/www/html/bill/`. Given that the `installer.sh` configures the `ai-bill-collector` service to run as root, this script will execute with full root privileges. This allows it to access, modify, or delete any file on the system, including potentially sensitive user data or system configurations. Specifically, reading `/root/.openclaw/agents/main/sessions/sessions.json` grants access to agent session data, which could contain sensitive information beyond just token counts. This combination of root execution and access to sensitive paths creates a high risk of data exfiltration or system compromise if the collector script has any vulnerabilities. Refactor the skill to avoid requiring root privileges. Store data in less sensitive, user-specific directories (e.g., `~/.local/share/ai-bill`). If system-wide access is strictly necessary, implement granular permissions and ensure the service runs as a dedicated, unprivileged user with only the minimum required capabilities. Review the contents of `sessions.json` to confirm no highly sensitive data is stored there, or implement redaction/encryption if it is. | LLM | collector.js:3 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:1 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/fumarole16-afk/ai-bill-intelligence/dist/assets/main.js:37 | |
| MEDIUM | Unpinned npm dependency version Dependency 'express' is not pinned to an exact version ('^4.18.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/fumarole16-afk/ai-bill-intelligence/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/fumarole16-afk/ai-bill-intelligence/package.json | |
| LOW | Unpinned Dependencies The `package.json` file specifies dependencies (`express`, `cors`) using caret (`^`) ranges, which allows for automatic updates to minor and patch versions. While this can simplify maintenance, it introduces a slight supply chain risk as a malicious update to a dependency within the allowed range could be automatically installed, potentially introducing vulnerabilities. Pin exact versions for all dependencies (e.g., `"express": "4.18.2"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Alternatively, ensure a `package-lock.json` or `yarn.lock` file is committed and used to lock dependency versions. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/aed5ac2ab36a31bc)
Powered by SkillShield