Security Audit

autonomous-agent

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

autonomous-agent received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Excessive Permissions: Node.js and npm execution, Supply Chain Risk: Unpinned Git Clone, Supply Chain Risk: Unpinned npm Dependencies.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

3 findings

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Excessive Permissions: Node.js and npm execution The skill's manifest explicitly requests the ability to execute 'node' and 'npm' binaries. These are general-purpose programming language runtimes and package managers, granting extensive capabilities including arbitrary code execution, network access, and file system manipulation. This level of permission is highly privileged and significantly increases the attack surface, allowing a malicious or compromised skill to perform almost any action on the host system. Re-evaluate the necessity of granting full 'node' and 'npm' execution. If possible, restrict the skill to a more sandboxed environment or use more granular, purpose-built tools. Ensure all code executed by 'node' or 'npm' is thoroughly audited and sandboxed.	LLM	SKILL.md
HIGH	Supply Chain Risk: Unpinned Git Clone The installation instructions use 'git clone' without specifying a commit hash or tag. This means the skill's source code is not pinned to a specific version and can change unexpectedly if the remote repository's 'main' branch is updated. An attacker gaining control of the upstream repository could inject malicious code, which would then be pulled and executed by users installing the skill. Pin the 'git clone' operation to a specific commit hash or tag (e.g., 'git clone -b <tag_or_commit> ...'). This ensures deterministic builds and prevents unexpected code changes from being introduced without explicit review.	LLM	SKILL.md:17
HIGH	Supply Chain Risk: Unpinned npm Dependencies The installation instructions include 'npm install' without explicitly mentioning the use of a 'package-lock.json' or 'yarn.lock' file. Without a lock file, 'npm install' will fetch the latest compatible versions of dependencies, which can change over time. This introduces non-determinism and a significant supply chain risk, as a compromised or malicious update to any dependency could be pulled into the skill without explicit review. Ensure that a 'package-lock.json' or 'yarn.lock' file is committed to the repository and used during installation. This pins dependency versions, ensuring deterministic builds and mitigating risks from unexpected dependency updates. Regularly audit and update dependencies in a controlled manner.	LLM	SKILL.md:18
HIGH	Credential Handling: Sensitive Environment Variables Required The skill requires several highly sensitive environment variables, including 'HUGGINGFACE_API_KEY', 'HF_TOKEN', 'APTOS_WALLET_PATH', 'EVM_WALLET_PATH', and 'EVM_PRIVATE_KEY'. These credentials grant access to external services and cryptocurrency wallets. While the documentation itself doesn't exfiltrate them, their presence as required inputs significantly increases the attack surface. A compromised or malicious agent could harvest these credentials, leading to unauthorized access, financial loss, or data breaches. Implement robust security practices for handling these credentials within the agent's code, such as secure storage, least privilege access, and strict input validation. Consider using secrets management services or ephemeral credentials where possible. Users should be strongly cautioned about the risks associated with providing these credentials to any untrusted skill.	LLM	SKILL.md:25
MEDIUM	Data Exfiltration Risk: Access to Sensitive User Data Tools The skill provides access to tools such as 'link_bank_account', 'get_agent_reputation_score_by_email', and 'get_borrower_score_by_email'. These tools inherently handle highly sensitive personal and financial information (bank linking tokens, email addresses, reputation/borrower scores). While the documentation only describes their functionality, any vulnerability in the agent's implementation, the MCP server, or the underlying services (e.g., Plaid) could lead to severe data exfiltration or privacy breaches. Thoroughly audit the implementation of these sensitive tools within the agent and the MCP server for security vulnerabilities (e.g., injection flaws, improper access controls, insecure data handling). Ensure data is encrypted in transit and at rest, and adhere to privacy regulations. Implement strict logging and monitoring for access to these tools.	LLM	SKILL.md:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/323f7d59bb3bad27.svg)](https://skillshield.io/report/323f7d59bb3bad27)