Security Audit

archon

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

archon received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 13 findings: 2 critical, 3 high, 8 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Arbitrary File Read and Command Injection via vault-backup script, Arbitrary File Write and Command Injection via vault-restore script.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

44%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

13 findings

Dynamic Code

4 findings

Excessive Permissions

9 findings

Security Findings13

Severity	Finding	Layer	Location
CRITICAL	Arbitrary File Read and Command Injection via vault-backup script The `archon-vault-backup.sh` script takes a `FILE_PATH` as an argument and uses it directly in shell commands (`stat`, `sha256sum`, `base64`) without sufficient sanitization. An attacker controlling `FILE_PATH` could inject shell metacharacters to execute arbitrary commands. Furthermore, the script reads the content of the specified file using `base64 < "$FILE_PATH"` and passes it to `npx @didcid/keymaster add-vault-item`. This allows an attacker to read the content of any file accessible to the script and potentially exfiltrate it via the vault mechanism. Implement strict input validation for `FILE_PATH` to ensure it refers to an allowed file within expected boundaries and does not contain shell metacharacters. Consider using a safer method for reading file content that does not involve direct shell execution with untrusted input. For example, use a language runtime (like Node.js or Python) to read the file and pass its content securely.	LLM	scripts/archon-vault-backup.sh:25
CRITICAL	Arbitrary File Write and Command Injection via vault-restore script The `archon-vault-restore.sh` script takes an `OUTPUT_PATH` as an argument and passes it directly to `npx @didcid/keymaster get-vault-item --output "$OUTPUT_PATH"`. If the `keymaster` tool does not sufficiently sanitize this path, an attacker controlling `OUTPUT_PATH` could specify an arbitrary file path, leading to arbitrary file write. Additionally, the `OUTPUT_PATH` is used in subsequent shell commands (`stat`, `sha256sum`), which could lead to command injection if it contains shell metacharacters. Implement strict input validation for `OUTPUT_PATH` to ensure it refers to an allowed file within expected boundaries and does not contain shell metacharacters. Ensure the `keymaster` tool itself sanitizes output paths or consider writing to a temporary file and then moving it to a validated destination.	LLM	scripts/archon-vault-restore.sh:25
HIGH	Command Injection via unsanitized arguments in create-did script The `archon-create-did.sh` script constructs an `npx` command using `$NAME` and `$TYPE` directly from user input. If these variables contain shell metacharacters (e.g., `$(rm -rf /)` or `--evil-arg`), they could be interpreted by the shell before `npx` is executed, leading to arbitrary command injection. Validate and sanitize all user-provided arguments (`NAME`, `TYPE`) to ensure they do not contain shell metacharacters. Consider using `exec` with an array of arguments if the shell supports it, or pass arguments via environment variables if the target command supports it, to prevent shell interpretation.	LLM	scripts/archon-create-did.sh:14
HIGH	Command Injection via unsanitized arguments in issue-credential script The `archon-issue-credential.sh` script constructs an `npx` command using `$ISSUER_DID`, `$SUBJECT_DID`, `$TYPE`, and `$CLAIMS` directly from user input. If these variables contain shell metacharacters, they could be interpreted by the shell before `npx` is executed, leading to arbitrary command injection. The `$CLAIMS` argument, expected to be JSON, is particularly vulnerable if an attacker can inject additional command-line arguments. Validate and sanitize all user-provided arguments (`ISSUER_DID`, `SUBJECT_DID`, `TYPE`, `CLAIMS`) to ensure they do not contain shell metacharacters. For JSON arguments, ensure they are properly escaped or passed via a file to prevent command-line injection.	LLM	scripts/archon-issue-credential.sh:22
HIGH	Unpinned dependency for `@didcid/keymaster` Multiple scripts use `npx @didcid/keymaster` without specifying a version. This means `npx` will fetch and execute the latest available version of the package. A malicious actor could publish a compromised version of `@didcid/keymaster`, leading to a supply chain attack where the skill executes arbitrary malicious code. Pin the `@didcid/keymaster` dependency to a specific, known-good version (e.g., `npx @didcid/keymaster@1.2.3`) in all scripts to mitigate the risk of supply chain attacks. Regularly review and update the pinned version.	LLM	scripts/archon-create-did.sh:14
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-create-did.sh:11
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-issue-credential.sh:12
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-list-credentials.sh:6
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-list-ids.sh:6
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-vault-backup.sh:23
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-vault-list.sh:9
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/archon-vault-restore.sh:15
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/santyr/archon-skill/scripts/sign-repo.sh:8

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c9926319ce9b8894.svg)](https://skillshield.io/report/c9926319ce9b8894)