Security Audit

clawd-docs-v2

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

clawd-docs-v2 received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Direct shell command execution for file access, Skill requires local filesystem read access.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Direct shell command execution for file access The skill explicitly instructs the agent to use `bash` commands such as `ls` and `cat` to access local files and directories. While the examples provided are limited to `~/clawd/data/`, if the arguments to these commands are not strictly sanitized and controlled by the agent's execution environment, a malicious prompt could trick the agent into executing arbitrary shell commands or reading sensitive files outside the intended scope (e.g., `cat /etc/passwd`, `ls /`). This presents a significant command injection vulnerability. Implement strict sandboxing for shell commands, ensuring that `ls` and `cat` can only operate within the `~/clawd/data/` directory and cannot accept arbitrary paths from user input. Prefer dedicated file access APIs over direct shell commands if possible, or ensure all arguments are whitelisted/sanitized before execution.	LLM	SKILL.md:22
MEDIUM	Skill requires local filesystem read access The skill design requires the agent to read files from the local filesystem, specifically from the `~/clawd/data/` directory, using `cat` and `ls` commands. While this is necessary for the skill's functionality (local search index, cached snippets), it grants the agent permission to access local storage. Without proper sandboxing, this could be escalated to read arbitrary files on the system, leading to data exfiltration. Ensure the agent's execution environment strictly enforces read-only access to the `~/clawd/data/` directory and prevents access to other parts of the filesystem. Implement a robust allowlist for file paths or use a virtualized filesystem for skill execution to minimize the attack surface.	LLM	SKILL.md:22

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/30c80732f5f5f3f8.svg)](https://skillshield.io/report/30c80732f5f5f3f8)