Security Audit

claw

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

claw received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 31 findings: 27 critical, 2 high, 1 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $HOME, Skill requires broad Google Workspace permissions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

27 findings

Filesystem Write

2 findings

Shell Execution

29 findings

Dynamic Code

1 finding

Excessive Permissions

3 findings

Security Findings31

Severity	Finding	Layer	Location
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:31
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:40
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:47
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:97
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:114
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:135
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:151
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:160
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:171
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:219
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:226
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:242
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:285
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:292
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:301
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:310
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:329
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:338
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:345
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:358
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:388
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:395
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:410
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:419
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:438
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/SKILL.md:447
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/cto1/clawemail/scripts/token.sh:35
HIGH	Sensitive credentials and tokens exposed via known file paths The skill explicitly documents the location of sensitive credentials (`~/.config/clawemail/credentials.json`) and the environment variable (`CLAWEMAIL_CREDENTIALS`) pointing to them. Additionally, the `scripts/token.sh` caches the generated access token in `~/.cache/clawemail/access_token`. An LLM, if maliciously prompted, could be instructed to read these files (e.g., using `cat`) and exfiltrate the `client_id`, `client_secret`, `refresh_token`, or `access_token`. Implement strict sandboxing for skill execution environments to prevent file system access outside of designated directories. Ensure the LLM is robustly protected against prompt injection that could lead to file reading commands. Consider encrypting credentials at rest.	LLM	SKILL.md:10
HIGH	Shell script argument susceptible to command injection The `scripts/token.sh` script accepts an optional argument (`$1`) to specify the credentials file path. If an LLM is prompted to call this script with a malicious argument containing shell metacharacters (e.g., `$(~/.openclaw/skills/clawemail/scripts/token.sh "; rm -rf /")`), it could lead to arbitrary command execution on the host system. While the provided examples do not pass arguments, the script's design allows for this vulnerability if the LLM deviates from intended usage due to prompt injection. Modify `scripts/token.sh` to explicitly validate or sanitize the `$1` argument if it's intended to be a file path, or remove the ability to pass it as an argument if it's not needed for the skill's intended operation. Alternatively, ensure the execution environment strictly limits the shell's capabilities or the LLM's ability to construct arbitrary shell commands.	LLM	scripts/token.sh:7
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/cto1/clawemail/scripts/token.sh:7
INFO	Skill requires broad Google Workspace permissions The skill's manifest and documentation indicate it requires extensive permissions across Google Workspace services (Gmail, Drive, Docs, Sheets, Slides, Calendar, Forms). While necessary for its stated functionality, this grants a high level of access to user data. Any compromise of the skill or the LLM using it could lead to significant data exposure or manipulation. Users should be aware of the broad permissions requested by this skill. Ensure the LLM's access to this skill is strictly controlled and monitored.	LLM	SKILL.md:10

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9d6ec60c3da0bbda.svg)](https://skillshield.io/report/9d6ec60c3da0bbda)