Security Audit

bid-analysis-comparator

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

bid-analysis-comparator received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Unsafe File Write via User-Controlled Path.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/datadrivenconstruction/bid-analysis-comparator/SKILL.md:1
MEDIUM	Unsafe File Write via User-Controlled Path The `export_analysis` method writes an Excel file to a path (`output_path`) provided as an argument without any path sanitization or validation. This could allow an attacker to write files to arbitrary locations on the file system if the skill is executed with sufficient write permissions (e.g., path traversal attacks like `../../../../tmp/malicious.xlsx`). This represents an excessive permission risk if the skill's execution environment is not properly sandboxed. Implement robust path sanitization for `output_path` to ensure files are written only within an allowed, sandboxed directory. Alternatively, ensure the execution environment for the skill strictly limits file system write access to designated safe directories, preventing writes to sensitive system locations.	LLM	SKILL.md:107

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0cd31e8e5da487c2.svg)](https://skillshield.io/report/0cd31e8e5da487c2)