Trust Assessment
clawguard received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 6 critical, 2 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/examples/library-usage.js:29 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/examples/plugin-usage.js:14 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/tests/benchmark.js:33 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/tests/detector.test.js:89 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/tests/detector.test.js:94 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/tests/new-features.test.js:33 | |
| HIGH | Potential Data Exfiltration via Discord Approval The `openclaw-plugin.js` sends the `input` (which can be a command, URL, or message) to a configured Discord channel for human approval when a warning is detected and the security level is set to 'cautious', 'strict', or 'paranoid'. This `input` could contain sensitive information such as API keys, session tokens, or Personally Identifiable Information (PII) if present in the command, URL, or message being checked. While the user explicitly configures and enables Discord approval, sending potentially sensitive user-provided input to an external chat service constitutes a data exfiltration risk. The `formatApprovalMessage` function truncates the input to 200 characters, which mitigates the volume of data but does not eliminate the risk of sensitive data being present within that truncated string. Implement more granular control or redaction for sensitive data within the `input` before sending it to Discord. Provide clear warnings to users about the type of data that may be transmitted. Consider hashing or masking sensitive parts of the input before sending it to Discord, or requiring explicit user confirmation for each piece of sensitive data detected within the input. | LLM | openclaw-plugin.js:100 | |
| HIGH | Suspicious Dependency Version (0.0.0) The `package-lock.json` lists `github-from-package` at version `0.0.0`. This version number is highly unusual for a published package and often indicates a placeholder, an unmaintained project, or a potential typosquatting attempt. While it is a transitive dependency of `better-sqlite3` via `prebuild-install`, its presence at `0.0.0` warrants investigation as it could pose a supply chain risk, especially for a security-focused skill. Investigate the `github-from-package@0.0.0` dependency. Verify its origin, purpose, and ensure it is not a malicious or abandoned package. If possible, update `prebuild-install` or `better-sqlite3` to a version that uses a more standard or well-maintained dependency, or consider vendoring the dependency if it's critical and small. | LLM | package-lock.json:109 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/cheenu1092-oss/jugaad-clawguard/tests/detector.test.js:140 | |
| MEDIUM | Unpinned npm dependency version Dependency 'better-sqlite3' is not pinned to an exact version ('^11.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/cheenu1092-oss/jugaad-clawguard/package.json | |
| MEDIUM | Unpinned Dependency Version The `package.json` specifies `better-sqlite3` with a caret (`^`) version range (`^11.0.0`). This allows for automatic updates to any `11.x.x` version. While `better-sqlite3` is a legitimate package, unpinned dependencies can introduce supply chain risks if a new minor or patch version inadvertently introduces a vulnerability or malicious code. For security-critical applications, it is best practice to pin dependencies to exact versions or use tilde (`~`) for patch-only updates to ensure reproducibility and prevent unexpected changes. Pin the `better-sqlite3` dependency to an exact version (e.g., `"better-sqlite3": "11.10.0"`) or use a tilde range (e.g., `"better-sqlite3": "~11.10.0"`) to limit updates to patch versions only. Regularly review and manually update dependencies to ensure security. | LLM | package.json:20 |
Scan History
Embed Code
[](https://skillshield.io/report/44851aa6a9d360e0)
Powered by SkillShield