Security Audit

clawforgod

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

clawforgod received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 8 findings: 0 critical, 2 high, 4 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

93%

Static Code Analysis

93%

Dependency Graph

98%

LLM Behavioral Safety

56%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

4 findings

Shell Execution

3 findings

Dynamic Code

3 findings

Excessive Permissions

2 findings

Security Findings8

Severity	Finding	Layer	Location
HIGH	Sensitive Credential (GitHub Token) Loaded and Used The skill loads a GitHub Personal Access Token (`GITHUB_TOKEN`) from environment variables in `scripts/clawforgod.js` and subsequently uses it to authenticate API requests to GitHub in `scripts/pattern-learner.js`. While necessary for functionality, this token is a sensitive credential. If the skill's environment is compromised, or if there's a vulnerability that allows this token to be logged or exfiltrated, it could grant an attacker extensive access to the user's GitHub account. Ensure `GITHUB_TOKEN` is stored securely (e.g., in a secrets manager, not directly in `.env` in production). Implement least privilege by using a token with the minimum necessary scopes (e.g., `repo:status`, `public_repo` for reading events, not full `repo` access). Consider token rotation policies and ensure no logging of the token occurs. The usage in `scripts/pattern-learner.js` at line 100 should also be reviewed.	LLM	scripts/clawforgod.js:30
HIGH	Potential Prompt Injection due to Truncated Code The `scripts/clawforgod.js` file, which acts as the main orchestrator and emits messages (likely to the host LLM), is truncated. Several event handlers (e.g., `handleMorningCheckIn`, `handleEveningReflection`, `handleWorldEventConnection`) receive data that can originate from user-controlled input (e.g., `CheckInPrompter.recordEntry`'s `content`, `WorldEventConnector.connectEventToScripture`'s `eventDescription`). Without the full code, it's impossible to verify if these user-controlled inputs are properly sanitized before being included in messages emitted to the host LLM. This creates a high risk of prompt injection, where malicious user input could manipulate the LLM's behavior. Provide the complete source code for `scripts/clawforgod.js` for a thorough security analysis. Implement strict input sanitization and validation for all user-controlled data before it is used in messages or prompts sent to the host LLM. Ensure that user input is treated as data, not instructions.	LLM	scripts/clawforgod.js:176
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/snail3d/clawd/skills/clawforgod/scripts/calendar-guardian.js:4
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/snail3d/clawd/skills/clawforgod/SKILL.md:1
MEDIUM	Sensitive Credential (Telegram Chat ID) Loaded The skill loads `TELEGRAM_CHAT_ID` from environment variables in `scripts/clawforgod.js`. This ID is sensitive as it identifies a specific chat for communication. While its direct usage for sending messages is not shown in the truncated code, it's a common pattern for such IDs. If this ID is exposed or misused, it could allow unauthorized parties to send messages to or identify the user's Telegram chat, potentially leading to data exfiltration or unauthorized communication. Ensure `TELEGRAM_CHAT_ID` is stored securely (e.g., in a secrets manager). Implement strict validation and sanitization for any messages sent using this ID to prevent data exfiltration or unauthorized communication. Ensure no logging of the chat ID occurs.	LLM	scripts/clawforgod.js:32
MEDIUM	Configurable File Path for Data Source (Arbitrary File Read Risk) The `versesDb` path is configurable via the `VERSES_DB` environment variable (`process.env.VERSES_DB \|\| 'config/verses.json'`) in `scripts/clawforgod.js`. While the `WorldEventConnector` (the likely consumer of this database) is not explicitly shown reading from this path in the provided snippet, it's a strong inference given its name and purpose. If an attacker can control the `VERSES_DB` environment variable, they could potentially direct the skill to read arbitrary files on the system, leading to data exfiltration. Restrict the `VERSES_DB` environment variable to only allow paths within the skill's designated data directory. Implement path sanitization (e.g., `path.resolve` and checking against a base directory) before using the configured path in `fs` operations. If possible, avoid making sensitive file paths configurable via environment variables that could be influenced by untrusted input.	LLM	scripts/clawforgod.js:38
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/snail3d/clawd/skills/clawforgod/package.json
INFO	Unanalyzed Entry Point in package.json The `package.json` defines a `start` script that executes `scripts/1st-commandment.js`. This file is not provided in the skill package context for analysis. Without access to its source code, it's impossible to assess its security implications, including potential command injection, data exfiltration, or other malicious activities. This represents an unanalyzed entry point for the skill. Provide the source code for `scripts/1st-commandment.js` for a complete security analysis of the skill's execution paths.	LLM	package.json:10

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0fd030ecf52e5450.svg)](https://skillshield.io/report/0fd030ecf52e5450)