Trust Assessment
conversation-summary received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 1 high, 3 medium, and 2 low severity. Key findings include Suspicious import: requests, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unescaped sys.argv Arguments The `scripts/conversation_summary.py` script directly uses `sys.argv` to retrieve `chat_list` and `history_summary` without any sanitization or escaping. The `SKILL.md` file, which describes the skill's internal execution, explicitly shows a shell command pattern: `python3 scripts/conversation_summary.py '<chat_list_json>' '<history_summary>'`. If the AI agent platform or the LLM constructs this shell command by directly interpolating user-controlled input into these arguments, and the input contains shell metacharacters (e.g., single quotes, semicolons, backticks, `$(...)`), it could lead to arbitrary command execution on the host system. For example, a crafted `chat_list_json` like `']'; rm -rf /; echo '[` could break out of the single quotes and execute `rm -rf /`. The platform executing the skill must ensure that all arguments passed to external scripts are properly escaped for the shell environment, or preferably, passed as distinct arguments to the script's entry point without shell interpretation. If direct shell execution is unavoidable, implement robust input sanitization and shell escaping (e.g., using `shlex.quote` in Python) before constructing the command string. Alternatively, consider using a more robust method for passing data, such as environment variables or temporary files, if the platform supports it. | LLM | scripts/conversation_summary.py:60 | |
| HIGH | Data Exfiltration to Third-Party API The skill's primary function is to send user conversation data (`chat_list` and `history_summary`) to a hardcoded external API endpoint: `https://iautomark.sdm.qq.com/assistant-analyse/v1/assistant/poc/summary/trigger`. While this is the intended purpose of the skill, it constitutes sending potentially sensitive user conversation data outside the user's direct control to a third-party service. Users should be explicitly informed and consent to their conversation data being transmitted to this specific external domain, as it could contain Personally Identifiable Information (PII) or other confidential information. Ensure that users are fully aware and provide explicit consent for their conversation data to be sent to this third-party API. Clearly state the data handling practices, privacy policy of the third-party service, and any data retention policies. Consider making the API endpoint configurable or providing options for local processing if privacy is a major concern. | LLM | scripts/conversation_summary.py:10 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/dadaliu0121/chat-conversation-summary/scripts/conversation_summary.py:8 | |
| MEDIUM | Unpinned npm dependency version Dependency 'requests' is not pinned to an exact version ('^2.31.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/dadaliu0121/chat-conversation-summary/package.json | |
| MEDIUM | Unpinned Dependency Version The `package.json` specifies the `requests` dependency with a caret range (`^2.31.0`). This allows for automatic updates to any `2.x.x` version, which could introduce breaking changes, new vulnerabilities, or unexpected behavior without explicit review. While common, for security-sensitive components, strictly pinning dependencies to an exact version (`requests: "2.31.0"`) is a best practice to ensure reproducibility and prevent supply chain risks from upstream changes. Pin the `requests` dependency to an exact version (e.g., `"requests": "2.31.0"`) to ensure deterministic builds and prevent unexpected updates. Regularly review and manually update dependencies to incorporate security patches. | LLM | package.json:9 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dadaliu0121/chat-conversation-summary/package.json | |
| LOW | Discrepancy in Author Information The `author` field in the skill's manifest (`lyue82665-droid`) differs from the `author` field in `package.json` (`openclaw`). This inconsistency can be a minor supply chain risk, as it creates ambiguity regarding the true origin or maintainer of the skill, potentially hindering trust or accountability. Ensure consistency in author information across all manifest and package files to clearly identify the skill's origin and maintainer. Update either the manifest or `package.json` to reflect the correct and consistent author. | LLM | SKILL.md:2 |
Scan History
Embed Code
[](https://skillshield.io/report/812a40d2b77adb50)
Powered by SkillShield