Trust Assessment
claude-oauth-refresher received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 4 critical, 3 high, 5 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Credential harvesting, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/tunaissacoding/claude-oauth-refresher/install.sh:251 | |
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/tunaissacoding/claude-oauth-refresher/refresh-token.sh:161 | |
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/tunaissacoding/claude-oauth-refresher/verify-setup.sh:91 | |
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/tunaissacoding/claude-oauth-refresher/verify-setup.sh:125 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/tunaissacoding/claude-oauth-refresher/install.sh:251 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/tunaissacoding/claude-oauth-refresher/test-detection.sh:66 | |
| HIGH | Command Injection via Python one-liner with unescaped config variable The `refresh-token.sh` script constructs and executes a Python one-liner using `python3 -c`. The `$KEYCHAIN_FIELD` variable, which is read from the user-editable `claude-oauth-refresh-config.json` file, is directly interpolated into this Python command string without proper escaping. An attacker who can modify the `claude-oauth-refresh-config.json` file (e.g., by setting `keychain_field` to a malicious string like `'; import os; os.system("rm -rf /")'`) could achieve arbitrary code execution with the privileges of the user running the script. Avoid direct interpolation of user-controlled variables into `python -c` or `eval` commands. Instead, pass the variable as an argument to the Python script (e.g., `python3 -c "import sys, json; field=sys.argv[1]; ..." "$KEYCHAIN_FIELD"`) or use a safer JSON parsing method in shell. If the field name is not intended to be configurable, hardcode it. If it must be configurable, strictly validate the input to prevent injection. | LLM | refresh-token.sh:140 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tunaissacoding/claude-oauth-refresher/detect-notification-config.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tunaissacoding/claude-oauth-refresher/install.sh:17 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tunaissacoding/claude-oauth-refresher/refresh-token.sh:21 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tunaissacoding/claude-oauth-refresher/uninstall.sh:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tunaissacoding/claude-oauth-refresher/verify-setup.sh:48 |
Scan History
Embed Code
[](https://skillshield.io/report/42569e1aa68b3f09)
Powered by SkillShield