Trust Assessment
clawforgod received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 39 findings: 18 critical, 10 high, 10 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings39
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:73 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:85 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:95 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:106 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:149 | |
| CRITICAL | Persistence / self-modification instructions Piping content into crontab Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:99 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/clawforgod/scripts/overwatch-checkin.js:81 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/overwatch.py:98 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/overwatch.py:128 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/overwatch.py:257 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/generate-morning-briefing.js:11 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/overwatch-checkin.js:17 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/skill-discovery-agent.js:13 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/overwatch-checkin.js:54 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawforgod/scripts/overwatch-checkin.js:127 | |
| CRITICAL | Prompt Injection via workspace context for sub-agent The `generate-morning-briefing.js` script constructs a task descriptor for a sub-agent (likely an LLM, as indicated by `skill-discovery-agent.js`) using `workspaceContext`. This context is read from local files (`MEMORY.md`, `SOUL.md`, `TOOLS.md`, `memory/*.md`). If an attacker can manipulate these local files, they can inject malicious instructions into the sub-agent's prompt, potentially leading to arbitrary actions or information disclosure by the sub-agent. Implement strict sanitization and validation of any user-controlled or locally stored content before it is incorporated into prompts for LLMs. Consider using a separate, isolated environment for processing untrusted inputs or implementing a robust prompt firewall to detect and neutralize malicious instructions. | LLM | scripts/generate-morning-briefing.js:204 | |
| CRITICAL | Prompt Injection via mail hygiene report content The `mail-hygiene-reporter.sh` script embeds `REPORT_CONTENT` (read from `latest-summary.txt`) directly into a message intended for the main agent. If an attacker can influence the content of `latest-summary.txt` (e.g., by sending specially crafted emails that get processed and written to this report), they could inject malicious instructions into the message, potentially manipulating the main agent's behavior. Sanitize or escape any content derived from untrusted sources (like email content) before embedding it into messages or prompts for LLMs or other automated agents. Ensure that report files are not directly interpretable as commands or instructions. | LLM | scripts/mail-hygiene-reporter.sh:40 | |
| CRITICAL | Command Injection in mail-hygiene.sh via email From address The `mail-hygiene.sh` script uses the `$from_address` variable, extracted directly from email headers, in a `gog gmail create-filter` command. An attacker can craft an email with a malicious `From:` header (e.g., `From: 'attacker@example.com; rm -rf /'`) to inject and execute arbitrary shell commands when the filter is created, leading to remote code execution. Properly sanitize or quote the `$from_address` variable before passing it to `gog gmail create-filter`. Use `printf %q` in Bash to ensure the argument is safely passed to the command, preventing shell metacharacter interpretation. | LLM | scripts/mail-hygiene.sh:150 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'detect_motion'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/scripts/overwatch.py:128 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'capture_frame'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/scripts/overwatch.py:98 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawforgod/scripts/overwatch.py:257 | |
| HIGH | Potential data exfiltration: file read + network send Function 'send_telegram_photo' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/snail3d/clawforgod/scripts/overwatch.py:58 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:85 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/clawforgod/scripts/install-morning-briefing.sh:95 | |
| HIGH | Command Injection via user-controlled arguments in capture.sh The `capture.sh` script constructs shell commands using user-controlled variables `$DEVICE` (from `WEBCAM_DEVICE` environment variable) and `$OUTPUT` (from the first command-line argument `$1`). If an attacker can control these inputs, they can inject arbitrary shell commands, leading to remote code execution. For example, setting `WEBCAM_DEVICE` to `'; rm -rf /'` could execute a malicious command. Sanitize or validate user-provided inputs (`$1`, `WEBCAM_DEVICE`) before using them in shell commands. Prefer using `exec` with an array of arguments in Python/Node.js or `printf %q` in Bash to properly quote arguments, preventing shell metacharacter interpretation. | LLM | scripts/capture.sh:10 | |
| HIGH | Supply Chain Risk: Unverified Binary Download and Execution The `claude-code-updater.sh` script downloads and executes a binary (`claude-code`) from a GitHub release URL without any cryptographic verification (e.g., checksum, GPG signature). If the GitHub repository or release assets are compromised, a malicious binary could be downloaded and executed on the system, leading to a severe supply chain attack. Implement cryptographic verification for downloaded binaries. This typically involves downloading a checksum or signature file alongside the binary and verifying its integrity before execution. Alternatively, use a trusted package manager that handles such verifications. | LLM | scripts/claude-code-updater.sh:64 | |
| HIGH | Indirect Command Injection via vulnerable capture.sh script The `overwatch-checkin.js` script executes `./scripts/capture.sh`. As identified in a separate finding (SS-LLM-002), `capture.sh` is vulnerable to command injection through its `$OUTPUT` argument. Although `overwatch-checkin.js` constructs `$outputPath` from internal variables, the underlying vulnerability in `capture.sh` means that if `capture.sh` were called with untrusted input elsewhere, or if its internal logic were compromised, this execution path could be exploited. Address the root command injection vulnerability in `scripts/capture.sh` (SS-LLM-002). Ensure all scripts called by other scripts are robust against command injection, even if the immediate caller provides sanitized input. | LLM | scripts/overwatch-checkin.js:45 | |
| HIGH | Excessive Permissions: HTTP Server Binds to All Network Interfaces The `overwatch.py` script starts an HTTP server (`socketserver.TCPServer`) that binds to all available network interfaces (`''` or `0.0.0.0`) on port 8000. This exposes the MJPEG live stream to the entire local network, and potentially the internet if port forwarding is configured. This broad network exposure can lead to unauthorized access to the camera feed, compromising privacy and security. Restrict the HTTP server to bind only to the loopback interface (`127.0.0.1`) unless external access is explicitly required and secured. If external access is necessary, implement authentication, authorization, and encryption (HTTPS) to protect the stream. Change `socketserver.TCPServer(('', 8000), StreamHandler)` to `socketserver.TCPServer(('127.0.0.1', 8000), StreamHandler)`. | LLM | scripts/overwatch.py:147 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/snail3d/clawforgod/scripts/skill-discovery-agent.js:89 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/clawforgod/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/clawforgod/scripts/overwatch.py:56 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/clawforgod/scripts/overwatch.py:82 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawforgod/scripts/claude-code-updater.sh:8 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_API Access to sensitive environment variable '$GITHUB_API' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawforgod/scripts/claude-code-updater.sh:21 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/clawforgod/scripts/motion-detect.sh:5 | |
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/snail3d/clawforgod/package.json | |
| MEDIUM | Data Exfiltration: Camera Snapshots Sent to External AI and Messaging Services The `overwatch-checkin.js` script captures camera snapshots and sends them to the Groq Vision API for analysis and to Telegram for alerts. While these are legitimate services, sending potentially sensitive images (e.g., of private spaces, individuals) to external third parties constitutes data exfiltration. This could lead to privacy concerns or unintended exposure of sensitive information. Assess the sensitivity of the data being captured. Implement explicit user consent mechanisms for sending images to external services. Consider local processing for sensitive data or anonymization techniques before transmission. Clearly document the data handling practices and privacy implications for users. | LLM | scripts/overwatch-checkin.js:60 | |
| MEDIUM | Data Exfiltration: Camera Snapshots Sent to External Messaging Service The `overwatch.py` script captures camera snapshots and sends them to Telegram for alerts. While Telegram is a legitimate messaging service, sending potentially sensitive images (e.g., of private spaces, individuals) to an external third party constitutes data exfiltration. This could lead to privacy concerns or unintended exposure of sensitive information. Assess the sensitivity of the data being captured. Implement explicit user consent mechanisms for sending images to external services. Consider local processing for sensitive data or anonymization techniques before transmission. Clearly document the data handling practices and privacy implications for users. | LLM | scripts/overwatch.py:50 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/snail3d/clawforgod/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/460b6b2f55b0f8d8)
Powered by SkillShield