Trust Assessment
claw-conductor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 45 findings: 22 critical, 22 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Command Injection via User-Controlled Project Name/Request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings45
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:116 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:144 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:166 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:202 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:205 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:224 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:232 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:295 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/decomposer.py:334 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:73 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:129 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:130 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:138 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:149 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:150 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:155 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:162 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:180 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/johnsonfarmsus/claw-conductor/scripts/worker_pool.py:228 | |
| CRITICAL | Command Injection via User-Controlled Project Name/Request The skill explicitly instructs the agent to execute a `python3 -c` command where user-provided `request` and `project_name` are directly interpolated into the shell command string. A malicious user can inject shell metacharacters or Python code to execute arbitrary commands on the host system. For example, `project_name='foo; rm -rf /'` or `request="'; import os; os.system('malicious_command')"` could lead to severe system compromise. Avoid direct interpolation of untrusted user input into shell commands. Use `subprocess.run` with `shell=False` and pass arguments as a list. For Python code execution, ensure user input is properly sanitized or executed within a sandboxed environment. If `request` and `project_name` are intended as Python string literals, they must be properly escaped (e.g., using `shlex.quote` for shell arguments or `json.dumps` for Python string literals). | LLM | SKILL.md:89 | |
| CRITICAL | Command Injection via User-Controlled Project Name in Git/GH CLI Commands The `ProjectManager` class constructs `workspace_path` and directly uses user-derived `name` in `subprocess.run` calls for `git` and `gh` CLI commands. Specifically, `_create_github_repo` uses `gh repo create name` and `_init_git` uses `cwd=workspace_path`. If `name` contains shell metacharacters (e.g., `'; malicious_command'`), it can lead to arbitrary command execution. The `git remote add` command also interpolates `github_user` and `name` into an f-string, which is then passed to `subprocess.run`. Sanitize user-provided `name` and `github_user` to remove or escape any shell metacharacters before passing them to `subprocess.run`. Always use `shell=False` and pass arguments as a list to `subprocess.run` to prevent shell injection. Ensure `name` is validated to be a safe string (e.g., alphanumeric, hyphens, underscores) and does not contain path traversal sequences. | LLM | scripts/project_manager.py:109 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_check_git_conflicts'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:116 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_commit_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:202 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_commit_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:205 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_commit_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:224 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_commit_changes'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:232 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_push_to_github'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:295 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_tests'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:144 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_tests'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/consolidator.py:166 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_invoke_openclaw_task'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/decomposer.py:334 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_create_github_repo'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:180 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_create_github_repo'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'create_project'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:129 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'create_project'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:130 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_init_git'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:149 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_init_git'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:150 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_init_git'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:155 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_init_git'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:162 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'create_project'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:73 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'create_project'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/project_manager.py:138 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_execute_task_with_model'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/johnsonfarmsus/claw-conductor/scripts/worker_pool.py:228 | |
| HIGH | Excessive Permissions / Path Traversal via User-Controlled Project Name The `ProjectManager.create_project` method constructs the `workspace_path` using `self.projects_root / name`, where `name` is derived from user input. If a malicious user provides a `name` containing path traversal sequences (e.g., `../../etc`), the skill could create or modify files outside the intended `/root/projects` directory, leading to arbitrary file write or modification. This grants excessive permissions to user-controlled input. Strictly validate `project_name` to prevent path traversal. Ensure `name` does not contain `.` or `..` path segments, or any directory separators. A whitelist approach (e.g., allowing only alphanumeric characters, hyphens, and underscores) is recommended for project names. | LLM | scripts/project_manager.py:36 | |
| HIGH | Command Injection in Consolidator via User-Controlled Workspace Path The `Consolidator` class executes various `git`, `pytest`, and `npm` commands using `subprocess.run` with `cwd=workspace`. The `workspace` path is derived from the `project` dictionary, which originates from `ProjectManager.create_project` and ultimately from user-controlled `project_name`. If `project_name` contains shell metacharacters or path traversal sequences, it could lead to command injection or execution in an unintended directory, allowing arbitrary code execution or file manipulation. Ensure that the `workspace` path is thoroughly sanitized and validated to prevent path traversal and shell metacharacters. The `project_name` (from which `workspace` is derived) must be validated at the earliest point of entry. Always use `subprocess.run` with `shell=False` and pass arguments as a list to prevent shell injection. | LLM | scripts/consolidator.py:90 | |
| MEDIUM | Prompt Injection in Triage and Simple Response Models The `Orchestrator` constructs prompts for external AI models (e.g., `triage_model`, `simple_response` model) by directly embedding user-provided `request` into the prompt string. A malicious user could craft `request` to include instructions that manipulate the behavior of the underlying LLM, potentially leading to unintended actions, information disclosure, or denial of service. Implement robust prompt injection defenses. This includes sanitizing user input before embedding it in prompts, using LLM-specific input escaping mechanisms, or employing techniques like input validation, privilege separation, and human-in-the-loop verification for sensitive operations. Consider using structured inputs for LLMs where possible, rather than free-form string interpolation. | LLM | scripts/orchestrator.py:140 |
Scan History
Embed Code
[](https://skillshield.io/report/f40ac2895a7b2b88)
Powered by SkillShield