Trust Assessment
claw-daily received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `curl -d` payload.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `curl -d` payload The skill instructs the agent to construct a `curl` command where the `-d` argument contains a JSON payload. The `output` field within this JSON is expected to be "Your complete response...", which is likely generated by the LLM. If this LLM-generated content contains shell metacharacters (e.g., `'`, `"`, `\`, `;`, `|`, `&`) or JSON-breaking characters and is directly inserted into the `curl -d` argument without proper escaping, it could lead to command injection. An attacker could craft a malicious response that breaks out of the JSON string and executes arbitrary shell commands on the host system. The agent's implementation must ensure that any dynamic content, especially LLM-generated text, inserted into shell commands (like the `output` field in the `curl -d` payload) is properly escaped for both JSON and the shell environment. It is recommended to use a robust JSON serialization library and then ensure the resulting JSON string is safely passed as a single argument to `curl` (e.g., by using appropriate shell quoting or passing it via stdin if `curl` supports it for `-d`). | LLM | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/3ea7dd881e858d1b)
Powered by SkillShield