Trust Assessment
claw-control received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include LLM instructed to handle and store sensitive API tokens, Explicit shell command execution instructed, Excessive permissions requested via GitHub PAT scopes.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | LLM instructed to handle and store sensitive API tokens The skill explicitly instructs the LLM to request, receive, and store highly sensitive user credentials such as GitHub Personal Access Tokens (with 'repo', 'workflow' scopes) and Railway API tokens. In 'Option D: ULTIMATE Automation', the skill further instructs the LLM to use browser automation to navigate to dashboards, create, copy, and store these API tokens directly. These tokens grant significant control over the user's cloud accounts and GitHub repositories. Storing them in 'TOOLS.md' or having the LLM handle them directly poses a high risk of compromise if the LLM's context or storage is breached. Avoid instructing the LLM to directly handle or store sensitive API keys and tokens. Instead, guide the user to configure these securely outside the LLM's direct access, for example, via environment variables or a dedicated secrets management system. If direct handling is unavoidable, implement strict ephemeral storage and immediate redaction policies. | LLM | SKILL.md:160 | |
| CRITICAL | Explicit shell command execution instructed The skill explicitly instructs the LLM to execute shell commands, including `curl` for API interactions and `sudo apt install` or `brew install` for system package management. This grants the LLM direct shell execution capabilities, which can lead to command injection vulnerabilities if inputs to these commands are not properly sanitized or if the LLM is manipulated to execute arbitrary commands. Avoid direct shell command execution by the LLM. If external interactions are necessary, use sandboxed, purpose-built tools or APIs with minimal privileges. Ensure any parameters passed to external commands are strictly validated and sanitized to prevent command injection. | LLM | SKILL.md:390 | |
| HIGH | Excessive permissions requested via GitHub PAT scopes The skill instructs the user to generate a GitHub Personal Access Token (PAT) with 'repo' and 'workflow' scopes. These scopes grant broad permissions, allowing the LLM to read/write all public and private repositories, and manage GitHub Actions workflows. This level of access is excessive for many tasks and significantly increases the blast radius in case of LLM compromise or misdirection, potentially leading to unauthorized code changes, data exfiltration, or CI/CD pipeline manipulation. Request the minimum necessary GitHub PAT scopes. For example, if only repository read access is needed, request `public_repo` or `repo:status` instead of full `repo`. Avoid `workflow` scope unless absolutely critical for the skill's core functionality and ensure robust input validation. | LLM | SKILL.md:200 | |
| HIGH | Extensive browser automation capabilities granted to LLM The skill heavily relies on and encourages the use of browser automation (`browser.navigate`, `browser.click`, `browser.type`, `browser.copy`) for sensitive operations like logging into services via OAuth, creating projects, and retrieving API keys directly from web dashboards. This grants the LLM highly privileged access to the user's web sessions and can be exploited for unauthorized actions (e.g., making purchases, sending emails, accessing sensitive web applications) or data exfiltration if the LLM is compromised or misdirected. Minimize the use of direct browser automation for sensitive tasks. If necessary, implement strict guardrails, allow-lists for URLs, and user-in-the-loop approvals for critical actions. Consider using dedicated APIs instead of UI automation where possible, or ensure the browser environment is isolated and ephemeral. | LLM | SKILL.md:280 | |
| MEDIUM | Environment variables used for sensitive data in script The `update_dashboard.js` script accesses `process.env.CLAW_CONTROL_URL` and `process.env.CLAW_CONTROL_API_KEY`. While using environment variables is generally better than hardcoding, if the script is executed in an environment where these variables are not properly secured or are accessible to other processes, it could lead to data leakage. The skill also instructs the LLM to store API keys in `TOOLS.md`, which could be read by other processes or the LLM itself. Ensure that environment variables containing sensitive data are managed securely within the execution environment. Implement least privilege access for scripts and processes that access these variables. For LLM agents, consider using a dedicated secrets management tool or a secure prompt-time injection mechanism rather than relying on the LLM to 'remember' or store secrets in plain text files. | LLM | templates/update_dashboard.js:7 |
Scan History
Embed Code
[](https://skillshield.io/report/44e3183589d31bb6)
Powered by SkillShield