Security Audit

claw

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

claw received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 29 findings: 28 critical, 0 high, 1 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $HOME, Command Injection via Unsanitized URL Path Parameters in Examples.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

28 findings

Filesystem Write

1 finding

Shell Execution

29 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings29

Severity	Finding	Layer	Location
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:31
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:40
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:47
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:97
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:114
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:135
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:151
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:160
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:171
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:219
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:226
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:242
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:285
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:292
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:301
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:310
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:329
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:338
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:345
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:358
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:388
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:395
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:410
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:419
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:438
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/SKILL.md:447
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/claw/scripts/token.sh:35
CRITICAL	Command Injection via Unsanitized URL Path Parameters in Examples The skill's `SKILL.md` documentation provides numerous example `curl` commands where placeholders like `MESSAGE_ID`, `FILE_ID`, `DOCUMENT_ID`, `SPREADSHEET_ID`, `PRESENTATION_ID`, `EVENT_ID`, and `FORM_ID` are directly interpolated into double-quoted URL strings. If an LLM or user replaces these placeholders with input containing shell metacharacters (e.g., `;`, `&`, `\|`, `$(...)`, `` ` ``), it can lead to arbitrary command execution on the host system. This is a critical vulnerability as it allows an attacker to break out of the intended `curl` command and execute arbitrary shell commands. This pattern is repeated across all Google Workspace service examples where an ID is part of the URL path. When constructing shell commands, ensure that any user-controlled or LLM-generated input used in URL paths or other command arguments is properly sanitized. For variables interpolated directly into double-quoted shell strings that form part of a URL path, it is critical to prevent shell metacharacters from being interpreted. A robust solution involves URL-encoding the variable's content before interpolation. For example, instead of directly using `$MESSAGE_ID`, first URL-encode it: `MESSAGE_ID_ENCODED=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$MESSAGE_ID")`, and then use `".../messages/$MESSAGE_ID_ENCODED?..."`. Alternatively, strictly constrain the LLM to generate only safe, alphanumeric IDs for these placeholders.	LLM	SKILL.md:41
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/cto1/claw/scripts/token.sh:7

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/765377934eba456a.svg)](https://skillshield.io/report/765377934eba456a)