Security Audit

claude-connect

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

claude-connect received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 28 findings: 11 critical, 11 high, 5 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Credential harvesting, Sensitive path access: AI agent config.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Filesystem Write

4 findings

Shell Execution

16 findings

Excessive Permissions

11 findings

Security Findings28

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:100
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:188
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:193
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:196
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:224
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:255
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/SKILL.md:256
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/tunaissacoding/claude-connect/install.sh:240
CRITICAL	Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/tunaissacoding/claude-connect/refresh-token.sh:155
CRITICAL	Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/tunaissacoding/claude-connect/verify-setup.sh:91
CRITICAL	Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/tunaissacoding/claude-connect/verify-setup.sh:125
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/tunaissacoding/claude-connect/SKILL.md:46
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/tunaissacoding/claude-connect/SKILL.md:149
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:100
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:188
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:193
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:196
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:224
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:255
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/SKILL.md:256
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/tunaissacoding/claude-connect/install.sh:240
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/tunaissacoding/claude-connect/test-detection.sh:68
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tunaissacoding/claude-connect/detect-notification-config.sh:7
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tunaissacoding/claude-connect/install.sh:17
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tunaissacoding/claude-connect/refresh-token.sh:20
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tunaissacoding/claude-connect/uninstall.sh:15
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/tunaissacoding/claude-connect/verify-setup.sh:48
LOW	Malformed JSON generation due to unescaped string The `install.sh` script constructs `claude-oauth-refresh-config.json` using a heredoc. The `notification_target` value, derived from `detect-notification-config.sh`, is embedded directly into the JSON string without proper escaping of special characters like double quotes. If the detected target contains a double quote (e.g., `123"456`), it will result in malformed JSON, causing `jq` to fail when parsing the configuration file in `refresh-token.sh`. This will prevent notifications from being sent, leading to a functional issue rather than a direct security exploit. Ensure that any variable embedded into a JSON string is properly escaped. For shell scripts, this often involves using a tool like `jq` to construct the JSON object or manually escaping special characters. A robust fix would be to construct the JSON object using `jq` directly, passing variables with `--arg` to ensure proper escaping, instead of embedding them directly into a heredoc.	LLM	install.sh:139

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3a156fd4cbddadb7.svg)](https://skillshield.io/report/3a156fd4cbddadb7)