Trust Assessment
bring received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Plaintext Credential Storage and Command-Line Exposure, Unpinned Dependency in Installation Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Plaintext Credential Storage and Command-Line Exposure The skill's `configure` command requires users to provide their email and password directly as command-line arguments. These arguments are visible in process lists (`ps aux`) and are typically stored in shell history files, making them vulnerable to exposure. Furthermore, the `scripts/bring-cli.js` script stores these credentials unencrypted in `~/.openclaw/bring/config.json`. While common for some CLI tools, this practice poses a significant security risk as any entity with access to the user's system or shell history could retrieve these sensitive credentials. The skill does not enforce strict file permissions on the configuration file to mitigate this risk. Avoid passing sensitive credentials directly as command-line arguments. Implement interactive prompts that hide input (e.g., using `readline-sync` in Node.js). Encrypt credentials at rest in the configuration file or utilize a secure credential store (e.g., OS keyring, environment variables for short-lived tokens). Ensure strict file permissions (e.g., `chmod 600`) are applied to the configuration file immediately after creation or update. | LLM | SKILL.md:16 | |
| MEDIUM | Unpinned Dependency in Installation Instructions The `SKILL.md` documentation instructs users to install the `bring-shopping` npm package globally using `npm install -g bring-shopping`. This command installs the latest available version of the package. Without specifying a pinned version or version range, there is a supply chain risk: if a future version of `bring-shopping` becomes malicious or introduces a critical vulnerability, users following these instructions could unknowingly compromise their system. Specify a pinned version or a narrow version range for the `bring-shopping` dependency in the installation instructions (e.g., `npm install -g bring-shopping@1.2.3` or `npm install -g bring-shopping@^1.2.0`). This ensures deterministic dependency resolution and reduces the risk of introducing unexpected vulnerabilities from future package updates. | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/996efc4fb440b794)
Powered by SkillShield