Trust Assessment
clawbrain received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 26 findings: 8 critical, 11 high, 5 medium, and 2 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: __import__().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings26
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/tests/integration_test.py:289 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/tests/test_openclaw_container.py:176 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/tests/test_openclaw_container.py:198 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/brain/hooks/clawbrain-startup/handler.js:15 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/hooks/clawbrain-startup/handler.js:15 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/skill.json:21 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/clawcolab/brain-v3-skill/remote-install.sh:3 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/clawcolab/brain-v3-skill/remote-install.sh:3 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/clawcolab/brain-v3-skill/tests/integration_test.py:134 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/clawcolab/brain-v3-skill/clawbrain_cli.py:529 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'cmd_info'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/clawcolab/brain-v3-skill/clawbrain_cli.py:529 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_cli_available'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/clawcolab/brain-v3-skill/tests/integration_test.py:289 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_cli'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/clawcolab/brain-v3-skill/tests/test_openclaw_container.py:176 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_hook_syntax'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/clawcolab/brain-v3-skill/tests/test_openclaw_container.py:198 | |
| HIGH | Unrestricted Shell Execution in JavaScript Hook The `handler.js` file uses `spawn` and `spawnSync` to execute `python3` with arbitrary Python code constructed as a string. While the current Python code aims to locate the `brain_bridge.py` script, the `spawnSync` call itself is a direct shell execution. If an attacker could inject into the `python3` command or the Python code string, it could lead to arbitrary command execution on the host system. The `cwd` for the spawned process is also set to `CLAWBRAIN_DIR`, which is derived from potentially user-controlled paths. Avoid constructing shell commands with interpolated strings. If external process execution is necessary, use a more secure IPC mechanism or ensure all arguments are strictly validated and passed as separate array elements to `spawn` to prevent shell interpretation. Ensure `CLAWBRAIN_DIR` is not user-controlled. | LLM | brain/hooks/clawbrain-startup/handler.js:13 | |
| HIGH | Unrestricted Shell Execution in JavaScript Hook (runBrainCommand) The `runBrainCommand` function in `handler.js` directly executes `python3` with the `BRIDGE_SCRIPT` path. While `BRIDGE_SCRIPT` is determined by the script itself, the `spawn` call represents a direct command injection vector if `BRIDGE_SCRIPT` or the `input` (which contains `command` and `args` from potentially untrusted sources) could be manipulated. The `cwd` is also set to `CLAWBRAIN_DIR`, which is derived from potentially user-controlled paths. Ensure `BRIDGE_SCRIPT` and `CLAWBRAIN_DIR` are absolutely trusted and cannot be influenced by external input. Strictly validate `command` and `args` passed to `runBrainCommand` to prevent any form of command injection. Consider using a more robust IPC mechanism than stdin/stdout JSON over shell execution. | LLM | brain/hooks/clawbrain-startup/handler.js:110 | |
| HIGH | Unrestricted Shell Execution in `install.sh` The `install.sh` script executes `pip install clawbrain[all]` and `clawbrain setup` directly. While these are intended installation steps, the script also attempts to detect Python dependencies by running `python3 -c "import <module>"`. If the `python3` executable or its environment is compromised, this could lead to arbitrary code execution. The script also uses `sudo systemctl restart $SERVICE_NAME` which is a privileged command. Ensure the execution environment for `install.sh` is secure. While direct execution is common for install scripts, it's important to note the inherent risk. For production, consider using containerized builds or more controlled deployment mechanisms. | LLM | install.sh:70 | |
| HIGH | Unrestricted Shell Execution in `remote-install.sh` The `remote-install.sh` script directly executes `git clone`, `git fetch`, `git checkout`, `git pull`, and then `chmod +x install.sh` followed by `./install.sh`. This chain of commands, especially downloading and executing a script from a remote URL (`curl | bash`), is a significant supply chain risk and command injection vector. If the GitHub repository is compromised, or the `curl` command is redirected, arbitrary code could be executed with the user's permissions. Strongly advise against using `curl | bash` for installation in production environments. Recommend manual review of scripts before execution. Implement cryptographic verification of downloaded scripts. Pin specific Git commits or tags instead of branches like `main` or `feature/openclaw-plugin-integration` to prevent unexpected code changes. | LLM | remote-install.sh:10 | |
| HIGH | Unpinned Git Branch in Remote Installation Script The `remote-install.sh` script clones and checks out the `feature/openclaw-plugin-integration` branch (or `main` as fallback) from GitHub. Using a branch instead of a specific commit hash or tag means that the installed code can change at any time without explicit user action, introducing a significant supply chain risk. A malicious actor gaining access to the repository could inject code into these branches, which would then be automatically executed on user systems. Pin dependencies to specific, immutable versions (e.g., Git commit hashes or signed tags) to ensure reproducibility and prevent unexpected code changes. This reduces the risk of malicious code injection via repository compromise. | LLM | remote-install.sh:56 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/clawcolab/brain-v3-skill/install.sh:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/clawcolab/brain-v3-skill/remote-install.sh:34 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/clawcolab/brain-v3-skill/tests/test_openclaw_integration.sh:38 | |
| MEDIUM | Unpinned Python dependency version Dependency 'cryptography>=41.0.0' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/clawcolab/brain-v3-skill/pyproject.toml | |
| MEDIUM | Unpinned Python Dependencies in `pyproject.toml` The `pyproject.toml` file specifies optional dependencies with minimum versions (e.g., `cryptography>=41.0.0`, `sentence-transformers>=2.0.0`). While minimum versions are better than no versions, they do not pin to exact versions. This can lead to non-reproducible builds and potential for dependency confusion or supply chain attacks if a malicious version of a dependency is released that still meets the minimum version requirement. Pin all dependencies to exact versions (e.g., `cryptography==41.0.0`) or use a lock file (e.g., `pip freeze > requirements.txt` or `poetry.lock`) to ensure reproducible builds and mitigate supply chain risks. | LLM | pyproject.toml:34 | |
| LOW | Environment Variable Exposure in Documentation The `SKILL.md` and `skill.json` files explicitly list environment variables like `BRAIN_POSTGRES_PASSWORD`. While this is for configuration, exposing the name of a sensitive environment variable in documentation could be considered a minor information leak, making it easier for an attacker to know what to look for if they gain access to the system. Consider using more generic names for sensitive environment variables in public documentation, or emphasize that these should be treated with extreme care and never hardcoded. This is a low severity finding as the variable name itself is not a secret. | LLM | SKILL.md:70 | |
| LOW | Environment Variable Exposure in Documentation The `SKILL.md` and `skill.json` files explicitly list environment variables like `BRAIN_ENCRYPTION_KEY`. While this is for configuration, exposing the name of a sensitive environment variable in documentation could be considered a minor information leak, making it easier for an attacker to know what to look for if they gain access to the system. Consider using more generic names for sensitive environment variables in public documentation, or emphasize that these should be treated with extreme care and never hardcoded. This is a low severity finding as the variable name itself is not a secret. | LLM | SKILL.md:68 |
Scan History
Embed Code
[](https://skillshield.io/report/0783c0fa5e8f42ad)
Powered by SkillShield