Trust Assessment
clawdio received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Arbitrary File Read/Write via identityPath Configuration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Server-Side Request Forgery (SSRF) via Malicious Connection String The `Clawdio` skill's `connect` command and `exchangeKeys` method accept a `connectionString` which includes an `address` for establishing a WebSocket connection. The `src/transport.ts` module then uses this `address` directly in `new WebSocket(`ws://${address}`). A malicious actor could craft a `connectionString` with an internal IP address or hostname (e.g., `clawdio://<pubkey>@192.168.1.100:8080`) to force the agent to connect to internal services. This could lead to Server-Side Request Forgery (SSRF), allowing an attacker to scan internal networks, access sensitive internal resources, or bypass network segmentation. Implement a whitelist or blacklist for IP addresses and hostnames that the agent is allowed to connect to. Specifically, prevent connections to private IP ranges (RFC 1918) and loopback addresses unless explicitly configured otherwise. Consider adding a proxy or network policy to restrict outbound connections from the agent. | LLM | src/transport.ts:20 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/jameseball/jameseball-clawdio/package.json | |
| MEDIUM | Arbitrary File Read/Write via identityPath Configuration The Clawdio skill uses `fs.readFileSync` and `fs.writeFileSync` to persist identity data at a path specified by the `identityPath` option in `ClawdioOptions`. If a malicious actor can control or influence this configuration option, they could cause the skill to read or overwrite arbitrary files on the host system. This could lead to data exfiltration (e.g., reading `/etc/passwd`), data corruption, or denial of service. While `identityPath` is typically set by the agent developer, its direct use of `fs` without path validation or sandboxing presents a risk if the configuration itself is compromised or if the agent's environment allows untrusted modification of its configuration. Implement strict validation for `identityPath` to ensure it points only to an allowed, non-sensitive directory (e.g., within the skill's own data directory) and does not contain path traversal sequences (`../`). Consider using a sandboxed file system access mechanism if available, or ensure the agent runs with minimal file system permissions. | LLM | src/index.ts:60 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/jameseball/jameseball-clawdio/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/f35ecc3c64225cdc)
Powered by SkillShield