Trust Assessment
clawlink received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 24 findings: 13 critical, 1 high, 8 medium, and 2 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings24
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/cli.js:27 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/cli.js:52 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/cli.js:57 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/cli.js:68 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/cli.js:74 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/cli.js:79 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawlink/test/test-relay.js:175 | |
| CRITICAL | Command Injection via execSync with user-controlled arguments The `cli.js` script uses `child_process.execSync` to execute other Node.js scripts, passing user-controlled arguments directly into the shell command string. This allows an attacker to inject arbitrary shell commands by crafting malicious input for `name`, `friend-link`, `friend`, `message`, or `pollArgs`. Replace `execSync` with `child_process.spawn` or `child_process.execFile` and pass arguments as an array to prevent shell interpretation. Ensure all user-provided inputs are properly sanitized or escaped before being used in shell commands. For example, `spawn('node', [join(__dirname, 'scripts/setup.js'), `--name=${name}`], { stdio: 'inherit' })`. | LLM | cli.js:19 | |
| CRITICAL | Command Injection via execSync with user-controlled arguments The `cli.js` script uses `child_process.execSync` to execute other Node.js scripts, passing user-controlled arguments directly into the shell command string. This allows an attacker to inject arbitrary shell commands by crafting malicious input for `name`, `friend-link`, `friend`, `message`, or `pollArgs`. Replace `execSync` with `child_process.spawn` or `child_process.execFile` and pass arguments as an array to prevent shell interpretation. Ensure all user-provided inputs are properly sanitized or escaped before being used in shell commands. For example, `spawn('node', [join(__dirname, 'scripts/friends.js'), 'add', args[1]], { stdio: 'inherit' })`. | LLM | cli.js:37 | |
| CRITICAL | Command Injection via execSync with user-controlled arguments The `cli.js` script uses `child_process.execSync` to execute other Node.js scripts, passing user-controlled arguments directly into the shell command string. This allows an attacker to inject arbitrary shell commands by crafting malicious input for `name`, `friend-link`, `friend`, `message`, or `pollArgs`. Replace `execSync` with `child_process.spawn` or `child_process.execFile` and pass arguments as an array to prevent shell interpretation. Ensure all user-provided inputs are properly sanitized or escaped before being used in shell commands. For example, `spawn('node', [join(__dirname, 'scripts/friends.js'), 'list'], { stdio: 'inherit' })`. | LLM | cli.js:44 | |
| CRITICAL | Command Injection via execSync with user-controlled arguments The `cli.js` script uses `child_process.execSync` to execute other Node.js scripts, passing user-controlled arguments directly into the shell command string. This allows an attacker to inject arbitrary shell commands by crafting malicious input for `name`, `friend-link`, `friend`, `message`, or `pollArgs`. Replace `execSync` with `child_process.spawn` or `child_process.execFile` and pass arguments as an array to prevent shell interpretation. Ensure all user-provided inputs are properly sanitized or escaped before being used in shell commands. For example, `spawn('node', [join(__dirname, 'scripts/send.js'), friend, message], { stdio: 'inherit' })`. | LLM | cli.js:53 | |
| CRITICAL | Command Injection via execSync with user-controlled arguments The `cli.js` script uses `child_process.execSync` to execute other Node.js scripts, passing user-controlled arguments directly into the shell command string. This allows an attacker to inject arbitrary shell commands by crafting malicious input for `name`, `friend-link`, `friend`, `message`, or `pollArgs`. Replace `execSync` with `child_process.spawn` or `child_process.execFile` and pass arguments as an array to prevent shell interpretation. Ensure all user-provided inputs are properly sanitized or escaped before being used in shell commands. For example, `spawn('node', [join(__dirname, 'scripts/poll.js'), ...pollArgs.split(' ')], { stdio: 'inherit' })`. | LLM | cli.js:58 | |
| CRITICAL | Command Injection via execSync with user-controlled arguments The `cli.js` script uses `child_process.execSync` to execute other Node.js scripts, passing user-controlled arguments directly into the shell command string. This allows an attacker to inject arbitrary shell commands by crafting malicious input for `name`, `friend-link`, `friend`, `message`, or `pollArgs`. Replace `execSync` with `child_process.spawn` or `child_process.execFile` and pass arguments as an array to prevent shell interpretation. Ensure all user-provided inputs are properly sanitized or escaped before being used in shell commands. For example, `spawn('node', [join(__dirname, 'scripts/poll.js')], { stdio: 'inherit' })`. | LLM | cli.js:62 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawlink/test/test-relay.js:69 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawlink/lib/crypto.js:62 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawlink/lib/relay.js:116 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawlink/lib/relay.js:130 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawlink/lib/requests.js:7 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawlink/scripts/send.js:35 | |
| MEDIUM | Unpinned npm dependency version Dependency 'tweetnacl' is not pinned to an exact version ('^1.0.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/davemorin/clawlink/package.json | |
| MEDIUM | Path Traversal Vulnerability in Filename Construction The `scripts/poll.js` script constructs filenames for saving incoming messages using `friend.displayName`. If an attacker can control the `displayName` (e.g., during friend request acceptance or setup), they could inject path traversal sequences (like `../`) to write files outside the intended `INBOX_DIR`. This could lead to overwriting sensitive files or writing malicious scripts. Sanitize `friend.displayName` to remove or escape any path-unfriendly characters, especially path separators (`/`, `\`) and path traversal sequences (`..`). A robust solution would be to hash the display name or use a UUID for filenames, or strictly validate the display name format. | LLM | scripts/poll.js:30 | |
| MEDIUM | Path Traversal Vulnerability in Filename Construction The `scripts/send.js` script constructs filenames for saving outgoing messages using `friend.displayName`. If an attacker can control the `displayName` (e.g., during friend request acceptance or setup), they could inject path traversal sequences (like `../`) to write files outside the intended `OUTBOX_DIR`. This could lead to overwriting sensitive files or writing malicious scripts. Sanitize `friend.displayName` to remove or escape any path-unfriendly characters, especially path separators (`/`, `\`) and path traversal sequences (`..`). A robust solution would be to hash the display name or use a UUID for filenames, or strictly validate the display name format. | LLM | scripts/send.js:29 | |
| LOW | Unpinned Dependency Versions in package.json The `package.json` file specifies dependencies (`tweetnacl`, `tweetnacl-util`) using caret (`^`) ranges. While `package-lock.json` provides exact versions, relying solely on `package.json` (e.g., during `npm install --no-package-lock`) could lead to installing newer, potentially vulnerable or malicious versions if a supply chain attack occurs within the specified major version range. Pin exact dependency versions in `package.json` (e.g., `"tweetnacl": "1.0.3"`) to ensure deterministic builds and prevent unexpected updates. Always commit `package-lock.json` and ensure it is used during deployment. | LLM | package.json:12 | |
| LOW | Unpinned Dependency Versions in package.json The `package.json` file specifies dependencies (`tweetnacl`, `tweetnacl-util`) using caret (`^`) ranges. While `package-lock.json` provides exact versions, relying solely on `package.json` (e.g., during `npm install --no-package-lock`) could lead to installing newer, potentially vulnerable or malicious versions if a supply chain attack occurs within the specified major version range. Pin exact dependency versions in `package.json` (e.g., `"tweetnacl-util": "0.15.1"`) to ensure deterministic builds and prevent unexpected updates. Always commit `package-lock.json` and ensure it is used during deployment. | LLM | package.json:13 |
Scan History
Embed Code
[](https://skillshield.io/report/27cf374d6e92ed13)
Powered by SkillShield