Trust Assessment
clawctl received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.Popen(), Sensitive environment variable access: $USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lludlow/clawctl/clawctl/cli.py:489 | |
| CRITICAL | Dashboard API Token Leaked to Standard Output The `clawctl dashboard` command, when executed, prints the generated authentication token for the dashboard API directly to standard output. This token is used to secure access to the web UI and its API endpoints. An AI agent invoking this command would capture this token, making it available in the LLM's context and potentially exposing it to users or other systems interacting with the LLM. This constitutes a direct and severe leak of a secret credential. Do not print sensitive authentication tokens to standard output. If the token needs to be communicated to the user, consider more secure methods such as writing it to a secure log file with restricted permissions, displaying it only in the web UI itself after authentication, or requiring manual retrieval from a secure location. For an AI agent, the token should be stored securely and accessed programmatically without being exposed in logs or stdout. | LLM | dashboard/server.py:100 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'dashboard'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/lludlow/clawctl/clawctl/cli.py:489 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/lludlow/clawctl/SKILL.md:6 | |
| MEDIUM | Unpinned Python dependency version Dependency 'click' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/lludlow/clawctl/pyproject.toml | |
| MEDIUM | Skill Runs a Network-Accessible Web Server The `clawctl` skill includes a `dashboard` component that runs a Flask web server, listening on `0.0.0.0` (all network interfaces) by default. Running a network-accessible service from an AI agent skill significantly expands its attack surface. While the dashboard uses a token for authentication, the token itself is leaked to standard output (as identified in SS-LLM-004), undermining this security measure. An exposed web server, even with a token, can be vulnerable to various web-based attacks if not rigorously secured and maintained. Re-evaluate the necessity of running a full web server as part of an AI agent skill. If essential, ensure robust security practices: 1. **Secure Token Handling:** Implement a secure method for storing and retrieving the authentication token that does not involve printing it to stdout. 2. **Access Control:** Restrict the host to `127.0.0.1` unless external access is strictly required and properly secured (e.g., via firewall rules, VPN, or more robust authentication). 3. **Input Validation:** Ensure all API inputs are thoroughly validated to prevent common web vulnerabilities (e.g., XSS, CSRF, command injection if any external calls are made). 4. **Least Privilege:** Ensure the web server runs with the minimum necessary privileges. | LLM | dashboard/server.py:107 |
Scan History
Embed Code
[](https://skillshield.io/report/20fc351719df9fad)
Powered by SkillShield