Security Audit

channel

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

channel received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 9 findings: 2 critical, 4 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Suspicious import: urllib.request, Potential data exfiltration: file read + network send.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

49%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

8 findings

Shell Execution

5 findings

Excessive Permissions

2 findings

Security Findings9

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/alphafactor/channel/SKILL.md:31
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/alphafactor/channel/SKILL.md:38
HIGH	Potential data exfiltration: file read + network send Function 'get_access_token' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers.	Static	skills/alphafactor/channel/scripts/channel.py:66
HIGH	Potential data exfiltration: file read + network send Function 'upload_image' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers.	Static	skills/alphafactor/channel/scripts/channel.py:99
HIGH	Arbitrary local file upload via user-controlled image path The `upload_image` function and `process_content` function allow uploading local files specified by the user (via `--cover` argument or Markdown image syntax) to WeChat's media server. If an attacker can control the `image_path` argument, they could trick the agent into uploading sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) to an external service (WeChat). While WeChat is a legitimate service, uploading arbitrary local files constitutes data exfiltration if the file content is sensitive and the upload is not intended by the user. Implement strict validation and sanitization of `image_path` arguments. Consider restricting file access to a specific, isolated directory or requiring explicit user confirmation for file uploads, especially for paths outside a designated content directory. For LLM agents, ensure that user-provided paths are not directly passed to the skill without validation.	LLM	scripts/channel.py:100
HIGH	Arbitrary local file read via user-controlled content file path The `create_draft` function allows reading content from a local file specified by the user via the `--file` argument. If an attacker can control this argument, they could trick the agent into reading sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and then including their content in the draft, which is subsequently sent to WeChat's API. This constitutes data exfiltration. Implement strict validation and sanitization of `file_path` arguments. Consider restricting file access to a specific, isolated directory or requiring explicit user confirmation for reading files, especially for paths outside a designated content directory. For LLM agents, ensure that user-provided paths are not directly passed to the skill without validation.	LLM	scripts/channel.py:266
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/alphafactor/channel/scripts/channel.py:12
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/alphafactor/channel/SKILL.md:31
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/alphafactor/channel/SKILL.md:38

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d4c16ce2626abc7b.svg)](https://skillshield.io/report/d4c16ce2626abc7b)