Trust Assessment
clawd received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 38 findings: 17 critical, 12 high, 8 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings38
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/scripts/install-morning-briefing.sh:73 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/scripts/install-morning-briefing.sh:85 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/scripts/install-morning-briefing.sh:95 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/scripts/install-morning-briefing.sh:106 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/scripts/install-morning-briefing.sh:149 | |
| CRITICAL | Persistence / self-modification instructions Piping content into crontab Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawd/scripts/install-morning-briefing.sh:99 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawd/scripts/overwatch-checkin.js:81 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/overwatch.py:98 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/overwatch.py:128 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/overwatch.py:257 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/generate-morning-briefing.js:11 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/overwatch-checkin.js:17 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/skill-discovery-agent.js:13 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/overwatch-checkin.js:54 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/scripts/overwatch-checkin.js:127 | |
| CRITICAL | Prompt Injection via Workspace Context to Sub-Agent The `scripts/generate-morning-briefing.js` script reads content from local files (`MEMORY.md`, `SOUL.md`, `TOOLS.md`, and recent log files) into `workspaceContext`. This `workspaceContext` is then directly embedded into the `task` field of a `taskDescriptor` JSON object, which is written to a file (`.skill-discovery-task.json`) for processing by a 'sub-agent'. If an attacker can write to any of these source files, they can inject arbitrary instructions into the sub-agent's prompt, leading to prompt injection and potential arbitrary actions by the sub-agent. Implement strict sanitization and validation of any content read from local files before embedding it into prompts for LLMs or sub-agents. Consider using a structured data format for agent tasks that separates instructions from dynamic content, or employ LLM-specific prompt injection defenses. | LLM | scripts/generate-morning-briefing.js:190 | |
| CRITICAL | Prompt Injection via Report Content to Main Agent The `scripts/mail-hygiene-reporter.sh` script reads `REPORT_CONTENT` from `/Users/ericwoodard/clawd/mail-reports/latest-summary.txt`. This content is then embedded directly into a message written to `/tmp/mail-hygiene-message.txt`, which is intended to be read and processed by a 'main agent' for notifications. If an attacker can manipulate the content of `latest-summary.txt` (e.g., via a compromised `mail-hygiene.sh` script or direct file system access), they can inject arbitrary instructions into the message, leading to prompt injection when the main agent processes it. Sanitize and validate `REPORT_CONTENT` before embedding it into messages intended for LLMs or agents. Ensure that the `latest-summary.txt` file is protected from unauthorized writes. If possible, use a structured communication method between agents that prevents arbitrary text from being interpreted as instructions. | LLM | scripts/mail-hygiene-reporter.sh:34 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'detect_motion'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/scripts/overwatch.py:128 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'capture_frame'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/scripts/overwatch.py:98 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/scripts/overwatch.py:257 | |
| HIGH | Potential data exfiltration: file read + network send Function 'send_telegram_photo' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/snail3d/clawd/scripts/overwatch.py:58 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawd/scripts/install-morning-briefing.sh:85 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawd/scripts/install-morning-briefing.sh:95 | |
| HIGH | Command Injection via WEBCAM_DEVICE environment variable The `scripts/capture.sh` script uses the `WEBCAM_DEVICE` environment variable directly in shell commands (`imagesnap -d "$DEVICE"`). If an attacker can control this environment variable, they could inject shell metacharacters (e.g., `$(evil_command)`) leading to arbitrary command execution. This script is called by `scripts/overwatch-checkin.js`, making the vulnerability exploitable if the environment variable is compromised. Sanitize or strictly validate the `WEBCAM_DEVICE` environment variable before using it in shell commands. Consider using a safer method for passing device information that does not involve direct shell interpretation, or ensure the environment where the skill runs has strict control over environment variables. | LLM | scripts/capture.sh:9 | |
| HIGH | Supply Chain Risk: Unverified Binary Download and Execution The `scripts/claude-code-updater.sh` script downloads a binary (`claude-code`) from a remote GitHub repository (`https://github.com/anthropics/claude-code/releases/download/$LATEST_VERSION/claude-code`) and makes it executable without verifying its integrity (e.g., using a checksum or GPG signature). A compromised GitHub release or a man-in-the-middle attack during download could lead to the installation and execution of arbitrary malicious code. Implement integrity verification for downloaded binaries. This typically involves downloading a checksum file (e.g., SHA256) alongside the binary and comparing it before making the binary executable. GPG signature verification is an even stronger measure. | LLM | scripts/claude-code-updater.sh:59 | |
| HIGH | Excessive Permissions: Sudo Usage and Crontab Modification The `scripts/install-morning-briefing.sh` script uses `sudo` to modify system settings (timezone) and directly modifies the user's crontab to schedule a daily task. While the scheduled command is fixed, the use of `sudo` grants elevated privileges, and the ability to modify crontab is a high privilege that could be abused if the script itself were compromised or if the scheduled command were dynamically constructed from untrusted input. Minimize the use of `sudo` to only strictly necessary operations. For crontab modifications, ensure that the scheduled commands are always fixed and do not incorporate any untrusted input. Consider using a less privileged scheduling mechanism if possible. | LLM | scripts/install-morning-briefing.sh:26 | |
| HIGH | Command Injection via Email From Address in Filter Creation The `scripts/mail-hygiene.sh` script extracts the `from_address` from email headers and uses it directly in the `gog gmail create-filter --from "$from_address" --delete` command. If a malicious sender crafts their `From:` address to contain shell metacharacters (e.g., `evil@example.com"$(rm -rf /)"`), it could lead to arbitrary command execution by the shell before `gog` is invoked. Strictly sanitize and validate the `from_address` before using it in shell commands. Ensure that only valid email address characters are allowed, and escape any potential shell metacharacters. Alternatively, use a `gog` API or library call that handles argument sanitization internally, rather than direct shell execution. | LLM | scripts/mail-hygiene.sh:150 | |
| HIGH | Data Exfiltration and Credential Usage to Third-Party Services The `scripts/overwatch-checkin.js` and `scripts/overwatch.py` scripts are designed to send potentially sensitive image data (surveillance footage) to external services (Groq Vision API for analysis, Telegram Bot API for alerts). Both scripts use API keys/tokens (`GROQ_API_KEY`, `TELEGRAM_TOKEN`, `TELEGRAM_BOT_TOKEN`) for authentication. While this is the intended functionality of the skill, it represents a significant data exfiltration pathway and reliance on sensitive credentials being present and used by the skill. Users should be fully aware of this data flow and the implications for privacy and security. Ensure clear and prominent disclosure to users about the collection, transmission, and processing of sensitive data (e.g., images) and the use of API keys by third-party services. Implement robust credential management practices (e.g., secure storage, rotation). Provide options for users to disable or configure these features if they have privacy concerns. | LLM | scripts/overwatch-checkin.js:70 | |
| HIGH | Supply Chain Risk: Automated Skill Installation from Untrusted Source The `scripts/skill-discovery-agent.js` script is designed to automatically search for and install skills from 'ClawdHub'. While it attempts to run a `security-scanner` skill first, this process inherently introduces a supply chain risk. If ClawdHub is compromised, or if a malicious skill bypasses the `security-scanner` (which itself is a skill that needs to be trusted), the agent could install arbitrary malicious software onto the system. Implement a more robust vetting process for skills from external marketplaces. This could include manual review, sandboxing during installation and execution, or requiring cryptographic signatures for skills. The `security-scanner` skill itself should be highly trusted and regularly updated. Provide clear user consent mechanisms before any automated installation. | LLM | scripts/skill-discovery-agent.js:169 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/snail3d/clawd/scripts/skill-discovery-agent.js:89 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/clawd/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/clawd/scripts/overwatch.py:56 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/clawd/scripts/overwatch.py:82 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawd/scripts/claude-code-updater.sh:8 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_API Access to sensitive environment variable '$GITHUB_API' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawd/scripts/claude-code-updater.sh:21 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawd/scripts/motion-detect.sh:5 | |
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/snail3d/clawd/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/snail3d/clawd/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/c353c13fa58c20dc)
Powered by SkillShield