Security Audit

context-clean-up

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

context-clean-up received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Dangerous tool allowed: exec, Broad filesystem read access by audit script, Arbitrary command execution capability.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

3 findings

Excessive Permissions

2 findings

Security Findings3

Severity	Finding	Layer	Location
HIGH	Dangerous tool allowed: exec The skill allows the 'exec' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints.	Static	skills/phenomenoner/context-clean-up/SKILL.md:1
MEDIUM	Broad filesystem read access by audit script The `scripts/context_cleanup_audit.py` script, when executed, accesses potentially sensitive directories such as `~/.openclaw` and the entire workspace directory to read session logs and bootstrap files. While this is necessary for its audit function, the `read` permission declared in the manifest, combined with the script's implementation, grants broad filesystem access. If the script were compromised or misused, it could access and process sensitive data beyond its intended scope. Users should be aware that the generated audit report may contain sensitive data snippets. Review and narrow the scope of filesystem access if possible. Ensure that the script only reads files strictly necessary for the audit. Clearly document the extent of data access to users and advise on secure handling of the generated report.	LLM	scripts/context_cleanup_audit.py:61
MEDIUM	Arbitrary command execution capability The skill's manifest declares the `exec` permission, which allows for arbitrary command execution. While `disable-model-invocation: true` prevents the LLM from directly invoking this, the `SKILL.md` explicitly instructs the user to execute `bash -lc` commands. This grants the skill (via user action) the ability to run any shell command. Although used here to run a specific audit script, the broad nature of `exec` poses a risk if the skill's instructions were to change or if the user were to be misled into executing malicious commands. If possible, replace `exec` with more granular tools or specific, sandboxed execution environments. Clearly document the necessity and implications of `exec` for users, and ensure all commands provided for execution are thoroughly vetted.	LLM	SKILL.md:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/27af7a4c72bdf59f.svg)](https://skillshield.io/report/27af7a4c72bdf59f)