Trust Assessment
clawd-modifier received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Read via --cli-path argument, Arbitrary File Write via --cli-path argument, Direct Binary Modification Capability.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Write via --cli-path argument The `scripts/patch_art.py` and `scripts/patch_color.py` scripts both allow specifying the target `cli.js` path via the `--cli-path` argument. If an LLM constructs the command to execute these scripts using untrusted user input for the path, an attacker could provide an arbitrary file path. This would allow the scripts to write modified content to any file accessible to the agent, potentially leading to command injection, system compromise, or data corruption. Restrict the `--cli-path` argument to a predefined set of safe paths or validate it rigorously to prevent arbitrary file writes. Alternatively, remove the ability to specify an arbitrary path and rely solely on `find_cli_js()` for known locations. | LLM | scripts/patch_art.py:105 | |
| HIGH | Arbitrary File Read via --cli-path argument The `scripts/extract_clawd.py` script allows specifying the target `cli.js` path via `sys.argv[1]`. If an LLM constructs the command to execute this script using untrusted user input for the path, an attacker could provide an arbitrary file path. This would cause the script to read and print the content of any file accessible to the agent, leading to data exfiltration. Restrict the `--cli-path` argument to a predefined set of safe paths or validate it rigorously to prevent arbitrary file access. Alternatively, remove the ability to specify an arbitrary path and rely solely on `find_cli_js()` for known locations. | LLM | scripts/extract_clawd.py:56 | |
| HIGH | Direct Binary Modification Capability The `scripts/patch_binary.py` script is designed to directly modify a compiled system binary (`claude`) by searching and replacing byte sequences. While the target binary path is not directly user-controlled via command-line arguments, the skill itself provides the capability to alter a core system component. An LLM, if prompted maliciously or incorrectly, could be instructed to apply patches that corrupt the binary, introduce vulnerabilities, or lead to system instability. This represents an excessive permission granted to the skill and a significant supply chain risk if the patches themselves were ever compromised or misused. Carefully evaluate the necessity of a skill that directly modifies system binaries. If essential, ensure strict controls on how the LLM can invoke this skill, limiting variants to a curated, verified list. Consider sandboxing the execution environment or requiring explicit user confirmation for such high-impact operations. | LLM | scripts/patch_binary.py:154 |
Scan History
Embed Code
[](https://skillshield.io/report/8e652f1785f002e9)
Powered by SkillShield