Trust Assessment
clawphone received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 17 findings: 8 critical, 2 high, 6 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings17
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/cli.js:27 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/cli.js:52 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/cli.js:57 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/cli.js:68 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/cli.js:74 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/cli.js:79 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/davemorin/clawdlink/test/test-relay.js:175 | |
| CRITICAL | Command Injection via Unquoted Arguments in CLI The `cli.js` script uses `execSync` with unquoted user-supplied arguments when calling `scripts/poll.js`. This allows an attacker to inject arbitrary shell commands by providing malicious input as part of the arguments to the `clawphone poll` command. For example, `clawphone poll --verbose '; rm -rf /'` would execute `rm -rf /`. Replace `execSync` with `child_process.spawn` and pass arguments as an array to prevent shell interpretation. Alternatively, if `execSync` is strictly necessary, ensure all user-controlled arguments are properly escaped for the shell, though this is generally less secure than `spawn` with an array. | LLM | cli.js:61 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawdlink/test/test-relay.js:69 | |
| HIGH | Potential Command Injection via Quoted Arguments in CLI The `cli.js` script uses `execSync` to execute other Node.js scripts, passing user-supplied arguments that are enclosed in double quotes. While quoting helps mitigate some shell injection vectors, it is not foolproof. Sophisticated attackers might still be able to bypass these quotes using techniques like command substitution (`$(...)`) or backticks, especially if the shell environment is not strictly controlled. This pattern is present in calls to `scripts/setup.js`, `scripts/friends.js`, and `scripts/send.js`. Avoid using `execSync` with user-controlled input. Prefer `child_process.spawn` and pass arguments as an array to prevent shell interpretation. If `execSync` is unavoidable, implement robust shell escaping for all user-controlled parts of the command string. | LLM | cli.js:24 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawdlink/lib/crypto.js:62 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawdlink/lib/relay.js:107 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawdlink/lib/relay.js:121 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawdlink/lib/requests.js:7 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/davemorin/clawdlink/scripts/send.js:35 | |
| MEDIUM | Unpinned npm dependency version Dependency 'tweetnacl' is not pinned to an exact version ('^1.0.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/davemorin/clawdlink/package.json | |
| INFO | Unpinned Dependency Versions The `package.json` file uses caret (`^`) ranges for `tweetnacl` and `tweetnacl-util` dependencies. While this allows for minor and patch updates, it means that new versions could be installed without explicit review, potentially introducing new vulnerabilities or breaking changes. Pinning exact versions (`1.0.3` instead of `^1.0.3`) provides greater control and predictability over the dependency tree. Consider pinning exact versions for all dependencies in `package.json` (e.g., `"tweetnacl": "1.0.3"`) to ensure deterministic builds and reduce the risk of unexpected changes from upstream packages. Regularly audit and update dependencies. | LLM | package.json:14 |
Scan History
Embed Code
[](https://skillshield.io/report/6b8d04bae5ffea49)
Powered by SkillShield