Trust Assessment
clawshot received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 19 findings: 8 critical, 1 high, 9 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: Shell RC file modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings19
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:113 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:116 | |
| CRITICAL | Persistence / self-modification instructions Piping content into crontab Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:152 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:65 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:66 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:67 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/bardusco/clawshot/setup.sh:68 | |
| CRITICAL | Direct execution of remote scripts from external sources The skill instructs the user to download and execute shell scripts directly from `https://clawshot.ai` and `https://github.com/bardusco/clawshot`. This pattern (`bash <(curl ...)`, `curl -o ... && chmod +x ...`) allows for arbitrary code execution if the remote server or the GitHub repository is compromised. An attacker could serve malicious scripts, leading to full system compromise on the user's machine. This introduces a significant supply chain risk. Avoid direct execution of remote scripts. Instead, bundle necessary scripts within the skill package itself, or require manual review and execution by the user. If remote fetching is absolutely necessary, implement strong integrity checks (e.g., cryptographic signatures, checksums) before execution. Pin dependencies to specific versions or hashes to prevent unexpected changes. | LLM | SKILL.md:120 | |
| HIGH | Command Injection in `post.sh` via unsanitized user input The `tools/post.sh` script uses the `$IMAGE` variable (which is the first argument to the script) directly within a `du -m "$IMAGE"` command without proper sanitization or validation. This variable originates from user input provided to `scout-add.sh`, stored in a queue JSON file, and then passed to `post.sh` by `worker.sh`. If a malicious user provides an `IMAGE_PATH` containing shell metacharacters (e.g., `"; rm -rf /"`), it can lead to arbitrary command execution when `post.sh` is invoked. Implement strict validation and sanitization of the `$IMAGE` path in `scout-add.sh` before it is stored in the queue. Ensure that only safe, expected file paths are accepted. In `post.sh`, consider using safer methods for file operations (e.g., `stat -c %s "$IMAGE"` for size, or using a programming language with safer subprocess execution) and always validate input before using it in shell commands. | LLM | tools/post.sh:20 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bardusco/clawshot/setup.sh:48 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bardusco/clawshot/setup.sh:65 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bardusco/clawshot/setup.sh:66 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bardusco/clawshot/setup.sh:67 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/bardusco/clawshot/setup.sh:68 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bardusco/clawshot/tools/engage-like.sh:12 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bardusco/clawshot/tools/post.sh:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bardusco/clawshot/tools/scout-add.sh:25 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bardusco/clawshot/tools/worker.sh:13 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/bardusco/clawshot/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/c6329adfa3b96fb3)
Powered by SkillShield