Security Audit

cherry-mcp

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cherry-mcp received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 5 critical, 1 high, 0 medium, and 1 low severity. Key findings include Arbitrary command execution, Node lockfile missing, Arbitrary Command Execution via Configured MCP Servers.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

10%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

25%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/bitbrujo/cherry-mcp/bridge.js:7
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/bitbrujo/cherry-mcp/cli.js:8
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/bitbrujo/cherry-mcp/cli.js:119
CRITICAL	Arbitrary Command Execution via Configured MCP Servers The `bridge.js` script spawns child processes using `command` and `args` directly loaded from `config.json`. The `cli.js` tool allows users to add and configure these server commands. An attacker who can modify `config.json` (e.g., by gaining file system access or by tricking a user into running `cli.js add-server` with malicious input) can achieve arbitrary code execution on the host system with the privileges of the `bridge.js` process. While the documentation states 'Commands are user-configured only,' this mechanism represents a direct command injection vulnerability if the configuration source is compromised. Implement stricter validation or sandboxing for user-defined commands. If arbitrary commands are truly intended, clearly document the severe security implications and recommend running the bridge in a highly restricted environment (e.g., a container with minimal privileges). Consider using a whitelist of allowed commands/executables if possible.	LLM	bridge.js:46
CRITICAL	Plaintext Credential Storage and Exposure via CLI The `cli.js set-env` command allows users to store environment variables, including sensitive API keys (e.g., `GITHUB_TOKEN`), directly into `config.json` in plain text. Subsequently, the `cli.js show-config` command prints the entire `config.json` content, including these plaintext secrets, to standard output. This creates a critical vulnerability where any attacker with access to the `config.json` file or the ability to execute `cli.js show-config` can harvest all stored credentials. The `SKILL.md` warns about this, but the functionality itself is a severe risk. Avoid storing sensitive credentials in plaintext configuration files. Instead, recommend using environment variables exclusively (as suggested in the `SKILL.md` as an alternative) or integrate with a secure secret management system. If configuration storage is necessary, encrypt sensitive values at rest and decrypt them only at runtime. Restrict access to `config.json` and `cli.js`.	LLM	cli.js:70
HIGH	Potential for Privilege Escalation due to Arbitrary Command Execution The `bridge.js` script is designed to spawn arbitrary child processes based on user-defined commands in `config.json`. The `SKILL.md` suggests running the bridge using `pm2 start bridge.js` and even `pm2 startup` for auto-start on boot. If `pm2` or the `bridge.js` process itself is run with elevated privileges (e.g., as root or a highly privileged service account), any command injection (as identified in Finding 1) could lead to privilege escalation, allowing an attacker to execute arbitrary code with those elevated permissions. Always run the `cherry-mcp` bridge with the lowest possible user privileges. If `pm2 startup` is used, ensure it's configured to run as a dedicated, unprivileged user. Implement OS-level sandboxing (e.g., containers, cgroups, namespaces) to isolate the bridge process and its spawned children from the rest of the system.	LLM	bridge.js:46
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/bitbrujo/cherry-mcp/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/fd6c0ea1a56b3831.svg)](https://skillshield.io/report/fd6c0ea1a56b3831)