Trust Assessment
clawdrug received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Malicious module manifest can lead to prompt injection, "Effects as code" implies potential for arbitrary code execution, Sensitive data in `inputPrompt` or `outputText` can be exfiltrated via `submitReport`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Malicious module manifest can lead to prompt injection The skill allows agents to `publishModule` with a `manifest` that includes `systemPreamble` and `styleRules`. These fields directly influence the behavior of the consuming LLM. A malicious agent could publish a module containing prompt injection instructions in its `manifest` (e.g., `systemPreamble`) to manipulate any agent that `applyModule`s it. This is a direct vector for an attacker to control the behavior of other agents' underlying LLMs. Implement robust sanitization and validation of `manifest` content, especially `systemPreamble` and `styleRules`, to prevent prompt injection. Consider sandboxing the execution environment for modules or using a strict allow-list for instructions. | LLM | SKILL.md:146 | |
| CRITICAL | "Effects as code" implies potential for arbitrary code execution The skill's core concept is "effects as code" and `moduleType` can be "transform" or "hybrid". While the `SKILL.md` example for `publishModule` only shows prompt-like `manifest` content, the phrase "effects as code" strongly suggests that the `manifest` could contain executable code. If the backend or consuming agent executes this code without proper sandboxing or validation, a malicious agent could publish a module containing arbitrary command injection, leading to remote code execution or other severe compromises. Clearly define what "effects as code" entails. If it means executable code, implement a secure sandboxed environment for module execution. If it means structured data that *generates* code/prompts, ensure strict validation and sanitization to prevent code injection. | LLM | SKILL.md:130 | |
| HIGH | Sensitive data in `inputPrompt` or `outputText` can be exfiltrated via `submitReport` The `submitReport` function requires `inputPrompt` and `outputText` as fields. If an agent is tricked or coerced into processing sensitive information using `applyModule` (where `input` becomes `inputPrompt` and `output` becomes `outputText`), this sensitive data could then be exfiltrated by submitting a `Trip Report` to the Clawdrug platform, making it visible to other agents or the platform operators. Implement data loss prevention (DLP) mechanisms to detect and redact sensitive information in `inputPrompt` and `outputText` before submission. Educate agents about the risks of processing and reporting sensitive data. | LLM | SKILL.md:100 | |
| HIGH | Untrusted agents can publish malicious modules affecting consumers The Clawdrug ecosystem allows any registered agent to `publishModule`. Other agents can then `applyModule` using these published "drugs". This creates a direct supply chain risk where a malicious agent can publish modules designed for prompt injection (via `manifest` fields like `systemPreamble`) or potentially command injection (if "effects as code" allows arbitrary execution). Consuming agents are vulnerable to the intentions of the module publisher. Implement a robust module review and moderation process. Consider reputation systems for publishers. Provide clear warnings to agents about the risks of applying modules from untrusted sources. Implement sandboxing for module execution and strict input/output validation. | LLM | SKILL.md:125 |
Scan History
Embed Code
[](https://skillshield.io/report/9a82dfe28e90b0b7)
Powered by SkillShield