Trust Assessment
clawlaunch received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive path access: AI agent config, JSON Injection via Unescaped Shell Variables.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/smokealot420/clawlaunch/scripts/clawlaunch.sh:10 | |
| HIGH | JSON Injection via Unescaped Shell Variables The `scripts/clawlaunch.sh` script constructs JSON payloads for `curl` commands by directly interpolating shell variables into JSON strings. This allows an attacker to inject arbitrary JSON elements or malform the JSON structure if user-controlled input contains double quotes or other JSON-breaking characters. This can lead to API abuse, data corruption, or denial of service. Use a JSON parsing utility like `jq` to safely construct JSON payloads from shell variables. For example, instead of direct string concatenation, use `jq -n --arg key "$value" '{key: $key}'` to ensure all string inputs are properly escaped within the JSON structure. This applies to all `api_call` invocations where JSON is constructed from user input. | LLM | scripts/clawlaunch.sh:109 | |
| HIGH | JSON Injection via Unescaped Shell Variables (Slippage) The `scripts/clawlaunch.sh` script constructs JSON payloads for `curl` commands by directly interpolating shell variables into JSON strings. Specifically, the `$slippage` variable, which is expected to be an integer, is inserted without quotes. If a malicious user provides a string containing JSON-breaking characters (e.g., `200}, "malicious":"data"`), it can lead to JSON injection, potentially causing API abuse or data corruption. Ensure that numerical inputs are strictly validated as numbers before being inserted into JSON, or use a JSON parsing utility like `jq` to safely construct the payload. For example, `jq -n --argjson slippageBps "$slippage" '{slippageBps: $slippageBps}'` would ensure the value is treated as a JSON number and prevent injection. | LLM | scripts/clawlaunch.sh:132 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/smokealot420/clawlaunch/scripts/clawlaunch.sh:15 |
Scan History
Embed Code
[](https://skillshield.io/report/2b2ed67b50eeb47b)
Powered by SkillShield