Security Audit

clanker

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

clanker received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 8 findings: 4 critical, 2 high, 2 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $HOME, Sensitive path access: AI agent config.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

2 findings

Shell Execution

8 findings

Excessive Permissions

5 findings

Security Findings8

Severity	Finding	Layer	Location
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/spirosrap/clanker/scripts/clanker.sh:107
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/spirosrap/clanker/scripts/clanker.sh:119
CRITICAL	Unsanitized user input and unquoted variable passed to subprocess The `clanker.sh` script constructs a command to execute `scripts/deploy.py`. It passes user-provided arguments (`name`, `symbol`) and a potentially user-controlled RPC URL (`rpc_url`) without proper shell sanitization or quoting. The `name` and `symbol` variables are double-quoted (`"$name"`, `"$symbol"`), which protects against word splitting but not against embedded quotes or command substitution if the shell is bash and the arguments are not carefully escaped. More critically, the `rpc_arg` variable, which contains the RPC URL, is constructed with internal double quotes (`rpc_arg="--rpc-url \"$rpc_url\""`) but then used unquoted in the final command (`$rpc_arg`). This allows shell metacharacters within `$rpc_url` (e.g., `"; rm -rf /"`) to break out of the intended argument and execute arbitrary commands. For `name` and `symbol`: Use `printf %q` to properly escape these strings for shell execution, or pass them via environment variables or a temporary file. For `rpc_arg`: The `rpc_arg` variable itself should be double-quoted when used in the command: `"$rpc_arg"`. Additionally, the `rpc_url` itself should be validated or escaped before being embedded into `rpc_arg`. A safer approach would be to pass the RPC URL directly as a quoted argument: `python3 ... --rpc-url "$rpc_url"`.	LLM	scripts/clanker.sh:255
CRITICAL	Private key exposed as command-line argument The `clanker.sh` script retrieves the user's private key from `config.json` and passes it directly as a command-line argument to `scripts/deploy.py`. Command-line arguments are often visible to other processes on the system (e.g., via `ps aux`, `/proc/<pid>/cmdline`) and can be logged in shell history or system logs. This exposes the private key to potential unauthorized access. Pass the private key to `scripts/deploy.py` via a more secure method, such as an environment variable (e.g., `PRIVATE_KEY="$private_key" python3 ...`) or by having `deploy.py` read it from a secure, temporary file or standard input. Ensure `deploy.py` clears the private key from memory after use. Advise users to use environment variables for private keys instead of `config.json` if possible, or to ensure `config.json` has restricted permissions.	LLM	scripts/clanker.sh:255
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/spirosrap/clanker/scripts/clanker.sh:371
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/spirosrap/clanker/scripts/test.sh:61
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/spirosrap/clanker/scripts/clanker.sh:10
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/spirosrap/clanker/scripts/test.sh:17

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/cc9b63f2e31fc6c9.svg)](https://skillshield.io/report/cc9b63f2e31fc6c9)