Trust Assessment
clawcast received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 3 critical, 0 high, 6 medium, and 3 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/tezatezaz/cast/scripts/01_install_cast.sh:22 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tezatezaz/cast/scripts/01_install_cast.sh:19 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/tezatezaz/cast/scripts/01_install_cast.sh:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/cast/scripts/00_lib.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/cast/scripts/01_install_cast.sh:22 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/tezatezaz/cast/scripts/01_install_cast.sh:22 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/cast/scripts/remove_wallet.sh:17 | |
| MEDIUM | Unpinned `curl | bash` for Foundry installation The script `01_install_cast.sh` uses `curl -L https://foundry.paradigm.xyz | bash` to install Foundry. This method executes an arbitrary script downloaded from the internet without version pinning or integrity checks. While `foundry.paradigm.xyz` is the official source, this practice introduces a supply chain risk, as a compromise of the Foundry website or CDN could lead to the execution of malicious code on the agent's system. Recommend installing Foundry via a package manager (if available and supported) or by downloading a specific, version-pinned binary with a checksum verification. Alternatively, provide instructions for manual installation and verification. | LLM | scripts/01_install_cast.sh:20 | |
| MEDIUM | Persistent storage of wallet password on disk The script `03_password.sh` saves the user's wallet password to a file named `pw.txt` within the agent's application directory (`~/.agent-wallet/pw.txt`). This file persists on disk and is used by `cast` commands requiring the password. Although permissions are set to `chmod 600`, any compromise of the agent's local filesystem could expose this password, allowing an attacker to access the encrypted keystore. Explore alternative methods for handling the password, such as using a secure credential store, prompting the user for the password each time it's needed, or leveraging `cast`'s interactive password prompt more extensively without saving it to a file. If file storage is unavoidable, ensure robust encryption of the file itself. | LLM | scripts/03_password.sh:27 | |
| LOW | Temporary storage of private key and mnemonic on disk The script `02_wallet.sh` temporarily writes the generated or imported private key to `privatekey.tmp` and, if a new mnemonic is generated, saves it to `mnemonic-words-*.txt`. While the private key file is deleted in the next step (`03_password.sh`) and the mnemonic file is scheduled for deletion via `at` (or manual deletion is warned), there is a window of vulnerability where these highly sensitive credentials exist unencrypted on the filesystem. An attacker with local access during this window could exfiltrate them. Minimize the time sensitive data is stored on disk. If possible, pass private keys and mnemonics directly to `cast` commands via environment variables or stdin without writing them to temporary files. If temporary files are necessary, ensure they are immediately deleted after use and consider in-memory handling where feasible. | LLM | scripts/02_wallet.sh:109 | |
| LOW | Logging of sensitive transaction details to file The skill instructs the agent to append transaction mentions (UTC timestamp, wallet address, tx hash, description) to `logs/tx_mentions.log`. While this log is within the workspace, it creates a persistent record of sensitive financial activity. If this log file is not adequately protected or is inadvertently exposed, it could lead to privacy breaches or provide valuable information to attackers. Re-evaluate the necessity of logging all transaction mentions to a persistent file. If logging is essential, consider encrypting the log file, implementing strict access controls, and regularly purging old entries. Ensure the log file is explicitly excluded from any backup or sharing mechanisms. | LLM | SKILL.md:118 | |
| LOW | Use of `sudo` for `at` command installation The `schedule_mnemonic_file_cleanup` function in `02_wallet.sh` attempts to install the `at` command using `sudo` if it's not found. This requires the agent to have `sudo` privileges, which is an elevated permission. While the intent is to enable a security feature (mnemonic cleanup), granting `sudo` access to an agent for arbitrary package installation can be a security risk if the installer command or the package source is compromised. Avoid using `sudo` within agent skills unless absolutely critical and explicitly approved. Instead, instruct the user to manually install `at` if it's missing, or provide clear warnings about the implications of automatic installation with `sudo`. Alternatively, rely on alternative cleanup mechanisms that do not require elevated privileges. | LLM | scripts/02_wallet.sh:64 |
Scan History
Embed Code
[](https://skillshield.io/report/932ef1dedbd902dc)
Powered by SkillShield