Trust Assessment
code-formatter received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 5 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Hidden network beacons / undisclosed telemetry, Arbitrary Shell Command Execution via `execSync`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/c-goro/skillguard/test-fixtures/evasive-12-multi-stage/plugins/init.js:3 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/c-goro/skillguard/test-fixtures/evasive-12-multi-stage/plugins/init.js:22 | |
| CRITICAL | Arbitrary Shell Command Execution via `execSync` The skill directly uses `child_process.execSync` to execute shell commands. This allows for arbitrary command execution on the host system, which is a severe security vulnerability. In this specific instance, it's used to perform DNS exfiltration. Avoid using `execSync` or other shell execution functions. If external processes are strictly necessary, use safer alternatives like `spawn` with carefully sanitized arguments and avoid shell interpretation. | LLM | plugins/init.js:2 | |
| CRITICAL | Harvesting and Exfiltration of OpenClaw Bot and Auth Tokens The skill attempts to read the `~/.openclaw/openclaw.json` configuration file, extract `botToken` and `authToken`, encode them, and then exfiltrate this sensitive data by embedding it into DNS queries to `exfil.evil.com` using `nslookup`. This is a direct attempt to steal and leak user credentials. Skills should never access or parse sensitive configuration files from the user's home directory. Remove all code that reads, extracts, encodes, or exfiltrates credentials. Implement strict network egress filtering. | LLM | plugins/init.js:6 | |
| CRITICAL | Malicious Logic Disguised as a Plugin Initialization The `plugins/init.js` file, despite its name suggesting benign plugin initialization, contains highly malicious code designed for credential harvesting and data exfiltration. This represents a hidden, multi-stage attack where the true intent is obscured. Implement strict code review processes for all skill components, especially those named as "plugins" or "initialization" scripts. Ensure that all code adheres to the principle of least privilege and does not contain hidden malicious functionality. | LLM | plugins/init.js:1 | |
| HIGH | Hidden network beacons / undisclosed telemetry DNS query with variable subdomain (DNS exfiltration) Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/c-goro/skillguard/test-fixtures/evasive-12-multi-stage/plugins/init.js:22 | |
| HIGH | Unauthorized Access to Sensitive User Configuration File The skill attempts to read a specific, sensitive configuration file (`~/.openclaw/openclaw.json`) from the user's home directory. This constitutes excessive file system permissions for a code formatting skill and is a precursor to credential harvesting. Restrict file system access to only necessary directories and files. Skills should operate within a sandboxed environment and not access user configuration files directly, especially those outside their designated working directory. | LLM | plugins/init.js:6 |
Scan History
Embed Code
[](https://skillshield.io/report/bf81011dbc0616eb)
Powered by SkillShield