Trust Assessment
clawdirect received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `npx` calls, Potential Command Injection via `curl` calls, Dependency on external skill `atxp-dev/cli` introduces supply chain risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `npx` calls The skill instructs the LLM to execute `npx atxp-call` commands with dynamic parameters (`<tool_name>`, `<json_params>`). If an LLM constructs these commands based on unsanitized user input, or if the `atxp-call` tool itself has vulnerabilities in parsing these parameters, it could lead to arbitrary command execution on the host system. While the JSON parameters are enclosed in single quotes, which offers some protection against direct shell injection from within the JSON string, the overall command execution surface remains a risk if the LLM or the `atxp-call` tool does not properly sanitize or escape all inputs. 1. **LLM-side sanitization**: Ensure the LLM strictly sanitizes or escapes all dynamic parameters (e.g., `<tool_name>`, values within `<json_params>`) before constructing and executing shell commands. 2. **Tool-side validation**: The `atxp-call` tool should robustly validate and sanitize its inputs to prevent shell injection. 3. **Avoid direct shell execution**: If possible, use a more controlled API or library call instead of direct `npx` shell commands for sensitive operations. If shell execution is necessary, use a library that properly escapes arguments (e.g., `subprocess.run` with `shell=False` and passing arguments as a list). | LLM | SKILL.md:12 | |
| HIGH | Potential Command Injection via `curl` calls The skill instructs the LLM to execute `curl` commands with dynamic parameters, specifically the `<entry_id>` in the URL path and the `<cookie_value>` within the `Cookie` header. The `Cookie` header value is enclosed in double quotes in the example. If an LLM constructs these commands based on unsanitized user input, or if the values returned by other tools (like `clawdirect_cookie`) contain shell metacharacters (e.g., backticks, dollar signs for command substitution, or unescaped double quotes), it could lead to arbitrary command execution on the host system. 1. **LLM-side sanitization**: Ensure the LLM strictly sanitizes or escapes all dynamic parameters (`<entry_id>`, `<cookie_value>`) before constructing and executing shell commands. Pay particular attention to characters that can break out of double quotes or trigger command substitution. 2. **Input validation**: Validate the format and content of `<entry_id>` and `<cookie_value>` to ensure they do not contain shell metacharacters. 3. **Avoid direct shell execution**: If possible, use a more controlled HTTP client library instead of direct `curl` shell commands. If shell execution is necessary, use a library that properly escapes arguments. | LLM | SKILL.md:68 | |
| INFO | Dependency on external skill `atxp-dev/cli` introduces supply chain risk The skill requires the installation of an external skill, `atxp-dev/cli`, via `npx skills add`. While this is a common pattern for skill dependencies within the `skills.sh` ecosystem, it introduces a supply chain risk. The security and integrity of this skill are dependent on the security and trustworthiness of `atxp-dev/cli`. If `atxp-dev/cli` were compromised or malicious, it could impact the host system where this skill is executed. 1. **Dependency vetting**: Ensure `atxp-dev/cli` is from a trusted source and regularly audited for vulnerabilities. 2. **Isolation**: Run skills in isolated environments (e.g., containers, sandboxes) to limit the blast radius of a compromised dependency. 3. **Least privilege**: Ensure the `atxp` skill, once installed, operates with the minimum necessary permissions. | LLM | SKILL.md:6 |
Scan History
Embed Code
[](https://skillshield.io/report/ac382b831c347eba)
Powered by SkillShield