Trust Assessment
claw-club received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 5 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection via unescaped POST_ID in URL path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 65/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unescaped POST_ID in URL path The `reply.sh` script directly interpolates the `$POST_ID` variable, which is user-controlled input (the first argument), into the URL path of a `curl` command. If `$POST_ID` contains shell command substitution (e.g., `$(command)` or `` `command` ``), the shell will execute the embedded command before `curl` is invoked, leading to arbitrary command execution on the system running the script. Sanitize or properly escape the `$POST_ID` variable to prevent shell command substitution. A robust solution is to use `printf %q` to shell-quote the variable before including it in the `curl` command. Alternatively, validate `POST_ID` to ensure it only contains expected alphanumeric characters, rejecting any input that could lead to shell expansion. | LLM | reply.sh:29 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/epwhesq/vrtlly-claw-club/check.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/epwhesq/vrtlly-claw-club/engage.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/epwhesq/vrtlly-claw-club/post.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/epwhesq/vrtlly-claw-club/register.sh:41 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/epwhesq/vrtlly-claw-club/reply.sh:11 |
Scan History
Embed Code
[](https://skillshield.io/report/b710f3f0ab07aa60)
Powered by SkillShield