Trust Assessment
claude-code-wingman received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Command Injection via User-Controlled Arguments, Excessive Permissions: Full Shell Access Granted to LLM, Data Exfiltration Risk via Unsanitized Command and Session Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User-Controlled Arguments The skill explicitly instructs the LLM to execute shell commands (`handle-approval.sh`, `session-status.sh`, `claude-wingman.sh`, `tmux`) where user-provided input (e.g., `<session>`, `<task description>`) is directly interpolated into the command string. This allows an attacker to inject arbitrary shell metacharacters and commands, leading to remote code execution on the host system. This vulnerability is present in multiple sections, including approval commands, status commands, and `claude-wingman.sh` invocations. Implement robust input sanitization for all user-provided arguments before constructing and executing shell commands. Use a safe execution method (e.g., `subprocess.run` with `shell=False` in Python) that passes arguments as a list, preventing shell metacharacter interpretation. Avoid direct string concatenation for command execution. | LLM | SKILL.md:18 | |
| HIGH | Excessive Permissions: Full Shell Access Granted to LLM The skill's design grants the AI agent the ability to execute arbitrary shell commands with the full permissions of the user running Clawdbot. This broad access, especially when combined with command injection vulnerabilities, allows for unrestricted filesystem access, process execution, and system modification, far exceeding the principle of least privilege. Re-architect the skill to minimize direct shell command execution. If shell access is strictly necessary, implement a highly restricted execution environment (e.g., chroot, containers) and an allowlist of specific commands and arguments. Run commands with the lowest possible user privileges. | LLM | SKILL.md:18 | |
| HIGH | Data Exfiltration Risk via Unsanitized Command and Session Output The skill instructs the LLM to return the raw output of shell commands and to capture and summarize the content of `tmux` sessions. This creates a direct channel for data exfiltration if the executed commands or the `tmux` session output (e.g., from Claude Code's interactions) contain sensitive information such as file contents, environment variables, or credentials. There are no explicit instructions for sanitization or redaction of this output before presenting it to the user. Implement strict sanitization, redaction, and filtering of all command outputs and captured session content before presenting them to the user. Only expose necessary, non-sensitive information. Consider using structured data formats for responses and explicitly defining what information can be shared. | LLM | SKILL.md:27 |
Scan History
Embed Code
[](https://skillshield.io/report/3afceb05cdb61c50)
Powered by SkillShield