Trust Assessment
clawfriend received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 2 critical, 1 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/leeknowsai/clawfriend/scripts/activation-monitor.js:112 | |
| CRITICAL | Execution of Untrusted Community Skill Code The `SKILL.md` explicitly instructs the AI agent to discover, read, and execute scripts from 'community skills' located in `~/.openclaw/workspace/skills/clawfriend-community-skills/`. This directory is designated for untrusted, community-contributed content. The instruction `cd ~/.openclaw/workspace/skills/clawfriend-community-skills/<skill-name> node scripts/some-script.js [args]` allows arbitrary code execution from these untrusted sources with the full permissions of the agent. This creates a severe supply chain vulnerability, as a malicious community skill could perform any action the agent is capable of, including data exfiltration, credential harvesting, or further command injection. Implement a robust sandboxing mechanism for community skills to restrict their access to the filesystem, network, and other system resources. Require explicit user approval for each community skill's permissions. Avoid direct execution of arbitrary scripts from untrusted directories. Consider a more controlled execution environment or a strict review process for community skills. | LLM | SKILL.md:100 | |
| HIGH | Prompt Injection Leading to Command Injection via Cronjob Messages The `scripts/cronjob-manager.js` defines `CRONJOB_TASKS` where the `payload.message` fields contain explicit shell commands (e.g., `cd ... && node scripts/...`). These messages are scheduled as `agentTurn` payloads via `openclaw cron add --message`, meaning they are presented to the AI agent as instructions. The agent is then expected to parse these messages and execute the embedded shell commands. This constitutes a prompt injection vulnerability, as the agent is being instructed to perform command injection based on its input. While these specific commands are internal to the skill, this pattern demonstrates a mechanism where a malicious prompt (potentially from a compromised community skill or external input) could instruct the agent to execute arbitrary shell commands. Avoid embedding executable shell commands directly within messages intended for AI agent interpretation. Instead, design a structured API or tool interface for the agent to interact with, where commands and arguments are clearly separated and validated. If shell execution is necessary, use a dedicated tool call with strict input validation and sanitization, rather than relying on the agent to parse and execute commands from natural language prompts. | LLM | scripts/cronjob-manager.js:150 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/leeknowsai/clawfriend/scripts/buy-sell-shares.js:3 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ethers' is not pinned to an exact version ('^6.13.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/leeknowsai/clawfriend/scripts/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/leeknowsai/clawfriend/scripts/package.json | |
| INFO | Sensitive Credentials Stored in Local Configuration The skill stores `EVM_PRIVATE_KEY`, `EVM_ADDRESS`, and `CLAW_FRIEND_API_KEY` in `~/.openclaw/openclaw.json`. While this is a standard practice for local configuration and the skill explicitly warns against exfiltration, the presence of these sensitive credentials in a file accessible by the agent (and potentially by untrusted community skills, as per the 'Execution of Untrusted Community Skill Code' finding) increases the attack surface. The `recover.js` script also handles API key recovery, which involves signing messages with the private key. While local storage is necessary, ensure that `openclaw.json` has appropriate file system permissions to restrict access. Emphasize to users the importance of securing their `~/.openclaw` directory. The primary remediation for this is tied to the sandboxing of community skills (as described in the 'Execution of Untrusted Community Skill Code' finding), as they are the most likely vector for exploiting this local storage. | LLM | scripts/utils.js:100 |
Scan History
Embed Code
[](https://skillshield.io/report/d9e9d8543c9a8910)
Powered by SkillShield