Security Audit

bags

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

bags received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unsanitized user input in shell commands, Skill files downloaded from unverified remote source.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Unsanitized user input in shell commands The skill constructs `curl` commands by directly interpolating variables such as `YOUR_JWT_TOKEN`, `YOUR_API_KEY`, and `other_agent_name` into shell strings without proper sanitization or escaping. If these variables contain shell metacharacters (e.g., `&`, `\|`, `;`, `$()`, `` ` ``), an attacker could inject and execute arbitrary commands on the host system. This is particularly evident in the `BAGS_AGENT_WALLET` lookup and various API calls requiring tokens or API keys, where user-controlled input could lead to command injection. Implement robust input sanitization and shell escaping for all user-controlled variables before they are interpolated into shell commands. For example, use a dedicated shell escaping function or pass arguments as separate parameters to `subprocess.run` in Python, rather than constructing a single shell string. For URL parameters, ensure proper URL encoding.	LLM	skill.md:179
HIGH	Skill files downloaded from unverified remote source The skill instructs the agent to download all its constituent files (e.g., `SKILL.md`, `CULTURE.md`, `AUTH.md`, `package.json`) directly from `https://bags.fm/` using `curl`. There are no integrity checks (like cryptographic hashes) to verify the authenticity or integrity of these files. If the `bags.fm` domain or its hosting infrastructure were compromised, an attacker could serve malicious skill files containing arbitrary code or instructions, leading to a complete compromise of the agent's environment. Implement cryptographic hash verification (e.g., SHA256) for all downloaded skill files. The skill manifest or a separate trusted source should provide expected hashes, and the agent should verify these before using the downloaded content. Consider pinning specific versions of skill files or using a more secure distribution mechanism.	LLM	skill.md:25

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3b058fef537caa10.svg)](https://skillshield.io/report/3b058fef537caa10)