Trust Assessment
clawcast received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 5 critical, 1 high, 5 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/tezatezaz/clawcast/scripts/01_install_cast.sh:22 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tezatezaz/clawcast/scripts/01_install_cast.sh:19 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/tezatezaz/clawcast/scripts/01_install_cast.sh:15 | |
| CRITICAL | Unverified script execution from external URL The skill downloads and executes a shell script from `https://foundry.paradigm.xyz` directly into `bash` without any integrity checks or user review. This is a significant supply chain risk, as a compromise of the remote server could lead to arbitrary code execution on the agent's host with the permissions of the agent. Avoid piping unverified scripts from external URLs directly to a shell. Instead, download the script, review its contents, and ideally verify its integrity (e.g., via checksums) before execution. For package management, prefer system package managers or official, signed installers. | LLM | scripts/01_install_cast.sh:19 | |
| CRITICAL | Privilege escalation via `sudo` for package installation The script attempts to install the `at` package using `sudo apt install -y at`. This grants root privileges to install software, which is an excessive permission for an AI agent skill. A compromised package repository, a malicious `at` package, or manipulation of the `$installer` variable could lead to arbitrary code execution with elevated privileges. Avoid using `sudo` within automated skills. If `at` is a hard requirement, the user should be prompted to install it manually with appropriate warnings, or the skill should operate in an environment where `at` is pre-installed or can be installed without `sudo`. | LLM | scripts/02_wallet.sh:90 | |
| HIGH | Persistent storage of keystore password in plaintext file The skill saves the user's keystore password to `~/.agent-wallet/pw.txt` (`PASSWORD_FILE`). Although `chmod 600` is applied, storing a password in a plaintext file, even with restricted permissions, is a significant security risk. Any compromise of the agent's filesystem or a privilege escalation could expose the password, allowing access to the encrypted keystore. Avoid storing passwords in plaintext files. Use secure credential management systems, environment variables (if the process lifetime is short and isolated), or prompt the user for the password each time it's needed. If `cast` requires a password file, consider using a named pipe or a temporary file that is immediately deleted after use, rather than a persistent file. | LLM | scripts/03_password.sh:26 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/clawcast/scripts/00_lib.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/clawcast/scripts/01_install_cast.sh:22 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/tezatezaz/clawcast/scripts/01_install_cast.sh:22 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/clawcast/scripts/remove_wallet.sh:17 | |
| MEDIUM | Temporary storage of sensitive credentials on disk The skill temporarily writes the user's mnemonic phrase to `~/.agent-wallet/mnemonic-words-<timestamp>.txt` and the private key to `~/.agent-wallet/privatekey.tmp`. While `chmod 600` is applied and deletion is scheduled, these files exist on disk, creating a window of vulnerability where a compromised system or a failed cleanup could expose these critical credentials. Avoid writing sensitive credentials to disk, even temporarily. Explore in-memory handling or secure credential stores. If temporary files are unavoidable, ensure robust, immediate deletion and encryption at rest. The scheduled deletion via `at` is a good attempt but can fail. | LLM | scripts/02_wallet.sh:144 |
Scan History
Embed Code
[](https://skillshield.io/report/e587f60191af65f9)
Powered by SkillShield