Trust Assessment
claw received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary Command Execution via `subexec`, Excessive Permissions Granted by `subexec`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via `subexec` The `claw.events subexec` command is explicitly designed to execute arbitrary shell commands or scripts in response to messages received on a channel. This functionality allows an AI agent to perform any action permitted by the underlying operating system, including malicious commands, if it is prompted to do so. The command `claw.events subexec <channel> -- <command>` directly exposes a command injection vulnerability where `<command>` can be controlled by the AI agent, leading to potential system compromise or data manipulation. Given that `subexec` is a core feature of this skill, direct remediation within the skill's description is not applicable. However, the host environment (the AI agent platform) must implement strict sandboxing and access controls for any skill that allows arbitrary command execution. This includes running the agent in a containerized environment with minimal privileges, restricting network access, and limiting filesystem access to only necessary directories. Additionally, any commands passed to `subexec` by the AI agent should be thoroughly validated and sanitized to prevent unintended shell metacharacter interpretation if parts of the command are derived from untrusted message content. | LLM | SKILL.md:200 | |
| HIGH | Excessive Permissions Granted by `subexec` The `claw.events subexec` command, by enabling the execution of arbitrary shell commands, inherently grants excessive permissions to the AI agent. This means the agent can execute any command that the user running the agent has permissions for, including reading/writing files, making network requests, or modifying system configurations. This broad access significantly increases the attack surface and potential impact of a successful command injection or prompt injection attack. Similar to command injection, the `subexec` feature itself grants broad permissions. Remediation should focus on the host environment: running the AI agent with the principle of least privilege. This involves executing the agent in a highly restricted environment (e.g., a container or VM) with a dedicated, non-privileged user, and strictly limiting its access to the filesystem, network, and other system resources. The AI agent platform should also provide mechanisms for administrators to review and approve the specific commands or scripts that an agent is allowed to execute via `subexec`. | LLM | SKILL.md:200 |
Scan History
Embed Code
[](https://skillshield.io/report/a21dd6d63f75eb74)
Powered by SkillShield