Security Audit

balance-management

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

balance-management received a trust score of 37/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 11 findings: 0 critical, 6 high, 5 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command injection via baseUrl in config file, Command injection via unvalidated invoice ID.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

72%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

6 findings

Filesystem Write

5 findings

Shell Execution

11 findings

Dynamic Code

7 findings

Excessive Permissions

4 findings

Security Findings11

Severity	Finding	Layer	Location
HIGH	Command injection via baseUrl in config file The `BASE_URL` variable is read from `$HOME/.openclaw/openclaw.json` and directly interpolated into `curl` commands. If an attacker can modify this configuration file to include shell command substitutions (e.g., `$(command)` or backticks) in the `baseUrl` field, arbitrary commands could be executed, and their output potentially embedded in the URL sent to the server, leading to data exfiltration or other side effects. Ensure that `BASE_URL` is strictly validated to conform to URL standards and does not contain shell metacharacters or command substitutions. Consider using a more robust method for making HTTP requests that doesn't involve direct shell interpolation of potentially untrusted strings, or strictly validate the `baseUrl` format.	LLM	check_balance.sh:11
HIGH	Command injection via baseUrl in config file The `BASE_URL` variable is read from `$HOME/.openclaw/openclaw.json` and directly interpolated into `curl` commands. If an attacker can modify this configuration file to include shell command substitutions (e.g., `$(command)` or backticks) in the `baseUrl` field, arbitrary commands could be executed, and their output potentially embedded in the URL sent to the server, leading to data exfiltration or other side effects. Ensure that `BASE_URL` is strictly validated to conform to URL standards and does not contain shell metacharacters or command substitutions. Consider using a more robust method for making HTTP requests that doesn't involve direct shell interpolation of potentially untrusted strings, or strictly validate the `baseUrl` format.	LLM	create_invoice.sh:20
HIGH	Command injection via unvalidated invoice ID The `INVOICE_ID` is taken directly from user input (`$1`) and interpolated into a `curl` command's URL path without proper sanitization. If the user provides an `INVOICE_ID` containing shell command substitutions (e.g., `$(command)` or backticks), arbitrary commands could be executed, and their output potentially embedded in the URL sent to the server. Validate and sanitize `INVOICE_ID` to ensure it only contains expected characters (e.g., alphanumeric, hyphens). Alternatively, use `printf %q` to properly quote the variable if it must be passed to a shell command, or use a safer method for URL construction that automatically handles escaping.	LLM	invoice_status.sh:17
HIGH	Command injection via baseUrl in config file The `BASE_URL` variable is read from `$HOME/.openclaw/openclaw.json` and directly interpolated into `curl` commands. If an attacker can modify this configuration file to include shell command substitutions (e.g., `$(command)` or backticks) in the `baseUrl` field, arbitrary commands could be executed, and their output potentially embedded in the URL sent to the server, leading to data exfiltration or other side effects. Ensure that `BASE_URL` is strictly validated to conform to URL standards and does not contain shell metacharacters or command substitutions. Consider using a more robust method for making HTTP requests that doesn't involve direct shell interpolation of potentially untrusted strings, or strictly validate the `baseUrl` format.	LLM	invoice_status.sh:17
HIGH	Command injection via unvalidated Cashu token The `CASHU_TOKEN` is taken directly from user input (`$1`) and used within a command substitution `$(echo "${CASHU_TOKEN}" \| jq -sRr @uri)`. If the user provides a `CASHU_TOKEN` containing shell command substitutions (e.g., `$(command)` or backticks), arbitrary commands could be executed before `jq` processes the token, leading to direct command execution. Validate and sanitize `CASHU_TOKEN` to ensure it only contains expected characters. When passing user input to `echo` or other commands within a command substitution, ensure the input is properly quoted or escaped to prevent shell expansion. For example, `printf '%s' "$CASHU_TOKEN" \| jq -sRr @uri`.	LLM	topup_cashu.sh:20
HIGH	Command injection via baseUrl in config file The `BASE_URL` variable is read from `$HOME/.openclaw/openclaw.json` and directly interpolated into `curl` commands. If an attacker can modify this configuration file to include shell command substitutions (e.g., `$(command)` or backticks) in the `baseUrl` field, arbitrary commands could be executed, and their output potentially embedded in the URL sent to the server, leading to data exfiltration or other side effects. Ensure that `BASE_URL` is strictly validated to conform to URL standards and does not contain shell metacharacters or command substitutions. Consider using a more robust method for making HTTP requests that doesn't involve direct shell interpolation of potentially untrusted strings, or strictly validate the `baseUrl` format.	LLM	topup_cashu.sh:20
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/sh1ftred/routstr-balance-management/check_balance.sh:4
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/sh1ftred/routstr-balance-management/create_invoice.sh:4
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/sh1ftred/routstr-balance-management/invoice_status.sh:4
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/sh1ftred/routstr-balance-management/topup_cashu.sh:4
MEDIUM	API key sent in request body, vulnerable to exfiltration The `API_KEY` is included directly in the JSON request body (`"api_key": "${API_KEY}"`) when creating an invoice. While it's sent to the intended endpoint, if the `BASE_URL` is compromised or controlled by an attacker (e.g., via the command injection vulnerability mentioned above), the API key could be exfiltrated to an unauthorized third party. API keys should ideally only be sent in `Authorization` headers. Remove the `api_key` from the JSON request body. Ensure the API endpoint is configured to accept the API key only via the `Authorization: Bearer` header, which is already used in other scripts.	LLM	create_invoice.sh:22

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/82269c3005f91af4.svg)](https://skillshield.io/report/82269c3005f91af4)