Trust Assessment
aliyun-asr received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 4 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Suspicious import: requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jixsonwang/aliyun-asr/aliyun_pure_asr.py:93 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'speech_to_text'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jixsonwang/aliyun-asr/aliyun_pure_asr.py:93 | |
| HIGH | Potential data exfiltration: file read + network send Function 'speech_to_text' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/jixsonwang/aliyun-asr/aliyun_pure_asr.py:100 | |
| HIGH | Arbitrary file read leading to data exfiltration The `speech_to_text` method in `aliyun_pure_asr.py` directly uses the `audio_file` path, which is derived from user-controlled input (`sys.argv[1]` in `main.py` and `handle_media.py`), in an `open()` call. An attacker can provide a path to any file on the system that the skill's process has read permissions for (e.g., `/etc/passwd`, `/root/.openclaw/aliyun-asr-config.json`). The content of this arbitrary file is then read into `audio_data` and subsequently uploaded to the Aliyun ASR API. This constitutes a data exfiltration vulnerability. Implement strict validation and sanitization of the `audio_file` path. Ensure that the path is canonicalized and restricted to a secure, temporary directory where only expected audio files are stored. Do not allow arbitrary file paths from user input. For example, generate a unique, temporary file name for the audio, save the user's audio content to this safe path, and then pass this validated path to `open()`. | LLM | aliyun_pure_asr.py:88 | |
| HIGH | Arbitrary file write via `ffmpeg` output path manipulation The `speech_to_text` method in `aliyun_pure_asr.py` uses `subprocess.run` to execute `ffmpeg`. If the input `audio_file` (derived from user-controlled input) ends with `.ogg`, a new `wav_file` path is constructed by replacing the extension. An attacker can craft `audio_file` to include directory traversal sequences (e.g., `../../../etc/shadow.ogg`). This would result in `wav_file` becoming `../../../etc/shadow.wav`, causing `ffmpeg` to attempt to write a WAV file to an arbitrary location on the filesystem. If the skill's process has write permissions to the target location, this could lead to overwriting sensitive system files, compromising system integrity or leading to denial of service. Implement strict validation and sanitization of the `audio_file` path. Ensure that the path is canonicalized and restricted to a secure, temporary directory. The output `wav_file` should also be generated in a controlled, temporary location, independent of the user-provided input path, to prevent directory traversal and arbitrary file writes. | LLM | aliyun_pure_asr.py:84 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/jixsonwang/aliyun-asr/aliyun_pure_asr.py:11 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/jixsonwang/aliyun-asr/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/18b8cee1c9282137)
Powered by SkillShield