Trust Assessment
clawtime received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Execution of Untrusted Cloned Code, Gateway Token Exposure to Untrusted Code, Excessive Permissions for Wrapper Script Installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Execution of Untrusted Cloned Code The skill instructs the user to clone external Git repositories (`https://github.com/youngkent/clawtime.git` and `https://github.com/ggerganov/whisper.cpp.git`) and then execute various scripts and binaries from these repositories. This includes `npm install`, `make`, `bash ./models/download-ggml-model.sh`, `node server.js` (via systemd), and `scripts/tunnel.sh` (via systemd). If either of these repositories or their dependencies are compromised or contain malicious code, it could lead to arbitrary code execution on the user's system with the privileges of the user running the skill. Implement robust supply chain security measures. This includes: 1. **Code Review:** Thoroughly review all code from external repositories before execution. 2. **Hashing/Checksums:** Verify the integrity of cloned repositories and downloaded models using cryptographic hashes. 3. **Sandboxing:** Execute external code in a highly restricted environment (e.g., container, VM) with minimal network and filesystem access. 4. **Dependency Scanning:** Use tools to scan cloned repositories for known vulnerabilities. 5. **Pinning:** For `npm install`, ensure `package.json` and `package-lock.json` are used with pinned versions. | LLM | SKILL.md:9 | |
| CRITICAL | Gateway Token Exposure to Untrusted Code The `GATEWAY_TOKEN` is explicitly instructed to be stored in `~/.clawtime/.env`. This `.env` file is then loaded as an `EnvironmentFile` for the `clawtime.service` systemd unit, which executes `server.js` from the cloned `clawtime` repository. This provides a direct and credible path for a malicious `server.js` (from the untrusted cloned repository) to read the `GATEWAY_TOKEN` environment variable and exfiltrate it, leading to credential compromise. Avoid storing sensitive credentials like `GATEWAY_TOKEN` directly in environment variables accessible to untrusted code. Instead, consider: 1. **Secret Management Service:** Use a secure secret management service (e.g., HashiCorp Vault, AWS Secrets Manager) to retrieve credentials at runtime. 2. **Least Privilege:** Ensure the `server.js` process runs with the absolute minimum necessary permissions and network access. 3. **Secure Communication:** Ensure any communication involving the token is over TLS/SSL. | LLM | SKILL.md:109 | |
| HIGH | Excessive Permissions for Wrapper Script Installation The skill instructs the user to use `sudo tee /usr/local/bin/whisper-transcribe` to write an executable shell script to a system-wide path (`/usr/local/bin`). This operation requires elevated privileges (`sudo`) and places a script, whose content is defined within the untrusted skill context, into a location where it can be executed by any user. While the provided script content appears benign, the mechanism itself is an excessive permission request and creates a high-privilege command injection vulnerability if the script's content were to be manipulated. Avoid using `sudo` to write executable scripts to system-wide paths (`/usr/local/bin`) from untrusted sources. If a wrapper script is necessary: 1. **User-level execution:** Place the script in a user's `PATH` (e.g., `~/.local/bin`) instead of a system-wide path, removing the need for `sudo`. 2. **Strict content validation:** If `sudo` is unavoidable, ensure the content being written is rigorously validated and comes from a trusted source. | LLM | SKILL.md:36 |
Scan History
Embed Code
[](https://skillshield.io/report/2a437228786c5327)
Powered by SkillShield