Trust Assessment
clawearn received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Direct execution of untrusted remote script (curl | bash).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/stonega/clawearn/SKILL.md:20 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/stonega/clawearn/SKILL.md:20 | |
| CRITICAL | Direct execution of untrusted remote script (curl | bash) The skill instructs the user to download and execute a script directly from a remote URL (`https://clawearn.xyz/install.sh`) using `curl -fsSL ... | bash`. This pattern is extremely dangerous as it allows arbitrary code execution on the user's system without prior review. A malicious or compromised `install.sh` script could lead to full system compromise, data exfiltration, or installation of malware. Avoid direct execution of remote scripts. Instead, recommend users to download the script, review its contents, and then execute it locally. For production systems, consider using package managers with cryptographic signing or containerized environments. | LLM | SKILL.md:20 | |
| HIGH | Untrusted skill file downloads from external domain The skill instructs the user to download multiple skill-related files (SKILL.md, HEARTBEAT.md, etc.) directly from `https://clawearn.xyz/skills/` using `curl`. While these are not executed directly via `| bash`, they are interpreted by the AI agent. If the `clawearn.xyz` domain is compromised, an attacker could inject malicious instructions or capabilities into these skill files, leading to prompt injection, data exfiltration, or other agent-level compromises. Implement cryptographic verification for downloaded skill files (e.g., PGP signatures, checksums). Provide clear instructions for users to verify file integrity before use. Consider hosting skill files on a trusted, immutable content delivery network or requiring manual review. | LLM | SKILL.md:39 | |
| HIGH | Skill updates from potentially untrusted localhost server The skill provides instructions to update skills by `curl`ing files from `http://localhost:3000`. This relies on a local server being present and trusted. If an attacker can control or spoof `localhost:3000` (e.g., via a malicious local service, DNS rebinding, or network misconfiguration), they could serve malicious skill files, leading to agent compromise. Additionally, the `grep -o` command within the `for` loop for market updates could be vulnerable to command injection if `config.json` is manipulated. Avoid relying on `localhost` for fetching critical skill updates without strong authentication and integrity checks. If a local server is necessary, ensure it's cryptographically secured and authenticated. Sanitize or validate any user-controlled input used in shell commands, such as the `config.json` content in the `for` loop. | LLM | SKILL.md:100 |
Scan History
Embed Code
[](https://skillshield.io/report/ec4ca1314e0d05cb)
Powered by SkillShield