Trust Assessment
claw-sync received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 5 critical, 3 high, 3 medium, and 2 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/arakichanxd/claw-sync/scripts/pull.js:21 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/arakichanxd/claw-sync/scripts/push.js:18 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/arakichanxd/claw-sync/scripts/setup-cron.js:9 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/arakichanxd/claw-sync/scripts/pull.js:111 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/arakichanxd/claw-sync/scripts/push.js:140 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/arakichanxd/claw-sync/scripts/pull.js:100 | |
| HIGH | Potential Command Injection via Environment Variables The `BACKUP_REPO` and `BACKUP_TOKEN` environment variables are used directly in shell commands within `scripts/pull.js` and `scripts/push.js` without explicit sanitization for shell metacharacters. While `validateRepoUrl` checks the hostname and protocol, it does not prevent an attacker from injecting shell commands into the `BACKUP_REPO` URL path or the `BACKUP_TOKEN` if they can control the content of `~/.openclaw/.backup.env`. For example, a malicious `BACKUP_REPO` could be `https://github.com/user/repo; rm -rf /` or a malicious `BACKUP_TOKEN` could be `ghp_token; malicious_command`. The `safeExec` function only sanitizes error messages, not the command itself. Ensure that all environment variables used in shell commands are properly escaped or sanitized to prevent shell metacharacter injection. Consider using an array form for `child_process.spawn` or `child_process.execFile` with arguments to avoid shell parsing, or explicitly quote/escape variables like `repoUrl` and `token` when constructing the command string for `execSync`. | LLM | scripts/pull.js:108 | |
| HIGH | Potential Command Injection via Environment Variables (Push Script) Similar to `scripts/pull.js`, the `BACKUP_REPO` and `BACKUP_TOKEN` environment variables are used directly in shell commands within `scripts/push.js` without explicit sanitization for shell metacharacters. An attacker controlling `~/.openclaw/.backup.env` could inject shell commands into these variables. The `safeExec` function only sanitizes error messages, not the command itself. Ensure that all environment variables used in shell commands are properly escaped or sanitized to prevent shell metacharacter injection. Consider using an array form for `child_process.spawn` or `child_process.execFile` with arguments to avoid shell parsing, or explicitly quote/escape variables like `repoUrl` and `token` when constructing the command string for `execSync`. | LLM | scripts/push.js:140 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/arakichanxd/claw-sync/scripts/push.js:31 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/arakichanxd/claw-sync/scripts/status.js:32 | |
| MEDIUM | Command Injection Risk in Cron Job Suggestion The `scripts/setup-cron.js` script suggests a manual crontab entry: `0 */12 * * * cd ${WORKSPACE_DIR} && node skills/claw-sync/scripts/push.js >> /tmp/claw-sync.log 2>&1`. While the script itself doesn't execute this, it provides a template that could be vulnerable if `WORKSPACE_DIR` contains shell metacharacters. An attacker who can control `WORKSPACE_DIR` (e.g., by manipulating `os.homedir()` or the `OPENCLAW_DIR` structure) could inject commands into the crontab entry. Although `WORKSPACE_DIR` is derived from `os.homedir()` and `path.join()`, which are generally safe, it's a good practice to escape any variables used in shell commands, even in suggestions. When suggesting crontab entries or any shell commands, ensure all variables are properly quoted or escaped to prevent command injection. For example, use `cd "${WORKSPACE_DIR}"`. | LLM | scripts/setup-cron.js:50 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/arakichanxd/claw-sync/package.json | |
| LOW | Excessive File System Scope for Skill Directory The `scripts/push.js` script recursively copies the entire `skills` directory from `WORKSPACE_DIR` to the staging area using `fs.cpSync(skillsDir, path.join(STAGING_DIR, 'workspace/skills'), { recursive: true });`. This means any files within any skill directory, including potentially sensitive ones not intended for backup, could be staged. While the `NOT Synced` section in `SKILL.md` explicitly excludes `openclaw.json` and `.env`, this recursive copy could inadvertently include other sensitive files if they are placed within a skill directory. Consider implementing a more granular file selection mechanism for skills, rather than a recursive copy of the entire `skills` directory. This could involve a whitelist of allowed file types or a blacklist of excluded file names/patterns within skill directories, similar to how `openclaw.json` and `.env` are handled at the root. | LLM | scripts/push.js:118 |
Scan History
Embed Code
[](https://skillshield.io/report/3f96b425bb1e09ee)
Powered by SkillShield