Trust Assessment
butler received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 2 medium, and 2 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Raw API Key Exposed in Public Method Return The `Butler.allocateTokens` method, which is a public entry point for the skill, returns an `AllocationResult` object. This `AllocationResult` interface explicitly includes a `key?: string` field, and the `TokenManager.selectKey` method (called by `Butler.allocateTokens`) populates this field with the raw API key. This means that any caller of the `Butler.allocateTokens` method will receive the actual API key, directly exposing sensitive credentials. This contradicts the skill's documentation claim that 'API keys never logged (only IDs)'. Modify the `AllocationResult` interface and the `TokenManager.selectKey` method to *never* return the raw API key. Instead, return only the `key_id` or a masked version of the key. The raw key should remain encapsulated within the `TokenManager` and only used internally for API calls. | LLM | src/core/TokenManager.ts:100 | |
| HIGH | Arbitrary File Read via PRD Path The `estimateTokensForPRD` method in `TokenManager` reads the content of a file specified by `prdPath`. Since `prdPath` is an argument to the public `allocateTokens` method of the `Butler` class, an untrusted agent could provide a crafted path (e.g., `/etc/passwd`, `/app/secrets.txt`) to read arbitrary files on the system that the skill's process has access to. This constitutes a significant data exfiltration vulnerability. Validate and sanitize `prdPath` to ensure it only points to allowed, non-sensitive files within a designated and restricted directory. Consider using a file picker or content directly instead of a path if possible, or implement strict allow-listing for file access. | LLM | src/core/TokenManager.ts:200 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/sarthib7/butler/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/sarthib7/butler/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/sarthib7/butler/package.json | |
| LOW | Hardcoded User-Specific Paths for Configuration The `TokenManager` constructor uses hardcoded default paths like `/home/tokisaki/.openclaw/workspace/api-keys.json` and `/home/tokisaki/.openclaw/workspace/token-manager-state.json`. While these can be overridden by environment variables, using a specific username (`tokisaki`) in default paths makes the skill brittle and non-portable. It can lead to unexpected behavior or failures if the skill is deployed in an environment where this user or path structure does not exist, or if it runs under a different user context. Replace hardcoded user-specific paths with more generic, environment-agnostic defaults (e.g., relative paths, paths derived from `os.homedir()`, or paths within a skill-specific data directory). Ensure that environment variables are the primary and most robust way to configure these paths. | LLM | src/core/TokenManager.ts:45 |
Scan History
Embed Code
[](https://skillshield.io/report/4a5d18230d982644)
Powered by SkillShield