Security Audit

asl-control

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

asl-control received a trust score of 28/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Suspicious import: requests, Remote code execution: curl/wget pipe to shell, Command Injection in Shell Script Arguments.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

63%

Dependency Graph

100%

LLM Behavioral Safety

25%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

3 findings

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/kj5irq/asl-control/scripts/asl-api.sh:21
CRITICAL	Command Injection in Shell Script Arguments The `scripts/asl-api.sh` bash script directly interpolates user-controlled variables (`$node`, `$monitor`, `$lines`, `$endpoint`, `$body`) into `curl` commands and JSON payloads without proper sanitization or escaping. An attacker who can control these arguments (e.g., through crafted input to the skill) can inject arbitrary shell commands, leading to remote code execution. Implement robust input validation and sanitization for all user-controlled variables before they are used in shell commands. For JSON payloads, ensure variables are properly escaped or use a JSON library that handles serialization safely. For shell commands, prefer using `exec` forms (e.g., `exec curl ...`) or pass arguments as separate list items to `bash -c` if possible, to avoid shell parsing of arguments. Alternatively, remove this shell script and rely solely on the Python client which uses a safer HTTP library.	LLM	scripts/asl-api.sh:20
CRITICAL	Command Injection via `--secrets-file` argument in Python script The `cmd_net_tick` function in `scripts/asl-tool.py` executes a shell command using `subprocess.run(['/bin/bash', '-c', cmd])`. The `cmd` string includes `source {secrets_file}`. The path to `secrets_file` can be controlled by the `--secrets-file` command-line argument. An attacker can specify a path to a malicious script they control, which will then be sourced and executed by `/bin/bash -c`, leading to arbitrary command execution. Do not allow arbitrary file paths to be sourced via shell execution. If a secrets file must be loaded, ensure its path is strictly controlled and validated, or load environment variables directly within the Python script without invoking a shell. Consider using a more secure method for loading credentials that doesn't involve sourcing arbitrary files.	LLM	scripts/asl-tool.py:560
HIGH	Arbitrary File Write/Read via `ASL_STATE_DIR` environment variable The `_state_dir()` function in `scripts/asl-tool.py` allows the `ASL_STATE_DIR` environment variable to override the default state directory. The script then creates directories and writes JSON files (e.g., `favorites.json`, `net-profiles.json`, `net-session.json`) into this path. An attacker who can control `ASL_STATE_DIR` (e.g., through prompt injection manipulating environment variables) could point it to sensitive system directories, potentially overwriting critical files with invalid JSON (leading to denial of service) or creating new files in unauthorized locations. It could also be used to read existing JSON files from arbitrary locations, leading to data exfiltration. Restrict the `ASL_STATE_DIR` environment variable to a safe, user-specific directory. If an override is necessary, validate the provided path to ensure it is within an allowed sandbox or a non-sensitive location. Avoid resolving arbitrary paths with `Path(p).expanduser().resolve()` if the input `p` is untrusted.	LLM	scripts/asl-tool.py:86
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/kj5irq/asl-control/scripts/asl-tool.py:41

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3a4c5a4f546165a6.svg)](https://skillshield.io/report/3a4c5a4f546165a6)