Trust Assessment
clawtank received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include API Key Exfiltration via Malicious Hub URL, Insecure Identity File Path Resolution, Non-Credential Environment Variable Exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | API Key Exfiltration via Malicious Hub URL The skill reads the `api_key` from `.clawtank_identity` and sends it in `Authorization` headers for all authenticated API requests. The `HUB_URL` for these requests can be overridden by the `CLAW_HUB_URL` environment variable. An attacker who can control the environment where the skill runs (e.g., by setting `CLAW_HUB_URL` before execution) can redirect all authenticated API requests, including the `api_key`, to an arbitrary malicious server, leading to credential exfiltration. 1. Restrict `CLAW_HUB_URL` override: Only allow `CLAW_HUB_URL` to be set to a predefined whitelist of trusted URLs, or remove the ability to override it via environment variable entirely. 2. Secure credential storage: Consider using a more secure method for storing and accessing API keys, such as a dedicated secrets manager, rather than a plain text file that can be easily redirected. 3. User warning: Clearly warn users about the risks of running the skill in an untrusted environment or with untrusted environment variables. | LLM | clawtank.js:10 | |
| MEDIUM | Insecure Identity File Path Resolution The `IDENTITY_FILE` path is resolved using `path.resolve(process.cwd(), '.clawtank_identity')`. This means the skill will look for the identity file in the current working directory (`process.cwd()`) from which the `clawtank` command is executed, rather than a fixed, secure location like the user's home directory (`~`). An attacker could create a malicious `.clawtank_identity` file in a directory they control and trick a user into executing `clawtank` from that directory. This could lead to the skill attempting to use a compromised API key, or crashing due to malformed JSON, potentially enabling further attacks or denial of service. The `SKILL.md` suggests `~/.clawtank_identity`, but the code does not enforce this. 1. Enforce home directory path: Change `IDENTITY_FILE` to explicitly resolve to the user's home directory (e.g., `path.join(os.homedir(), '.clawtank_identity')`) to ensure it's always read from a trusted location. 2. Validate JSON: Add robust error handling and validation for the content of `.clawtank_identity` to prevent crashes from malformed JSON. | LLM | clawtank.js:7 | |
| LOW | Non-Credential Environment Variable Exfiltration The `process.env.OPENCLAW_MODEL` environment variable is included in the JSON payload for `submitPeerReview` and `join` requests. While this variable is not explicitly stated to contain sensitive credentials, any information passed via environment variables could potentially be sensitive. If `OPENCLAW_MODEL` were to contain confidential data, it could be exfiltrated to a malicious `HUB_URL` (as described in SS-DATA-001). 1. Review environment variables: Ensure that no sensitive information is stored in `OPENCLAW_MODEL` or any other environment variable that is transmitted over the network. 2. Explicitly define data sent: Only send necessary data in API requests, avoiding blanket inclusion of environment variables unless their content is explicitly known and non-sensitive. | LLM | clawtank.js:93 |
Scan History
Embed Code
[](https://skillshield.io/report/357627fc528facff)
Powered by SkillShield