Security Audit

conversation-summary

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

conversation-summary received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 2 medium, and 2 low severity. Key findings include Suspicious import: requests, Unpinned npm dependency version, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

91%

LLM Behavioral Safety

53%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Potential command injection due to unescaped arguments The `SKILL.md` documentation shows the skill being invoked via `python3 scripts/conversation_summary.py '<chat_list_json>' '<history_summary>'`. The `chat_list` and `history_summary` parameters are user-controlled strings. If the host LLM does not properly quote or escape these arguments when constructing the shell command, a malicious user could inject arbitrary shell commands. For example, providing `{"role":"user","content":"hello"}' ; rm -rf /` as `chat_list` could lead to directory deletion. The Python script itself uses `sys.argv` directly, making it vulnerable if the calling environment doesn't escape. 1. Primary: The host LLM environment must ensure that all user-provided arguments passed to external commands are properly quoted and escaped for the target shell. 2. Secondary (Defense in Depth): The Python script should validate and sanitize inputs more rigorously, although shell injection happens before the Python script even runs. If possible, consider using a more robust method for passing data than command-line arguments (e.g., stdin, temporary files, or a dedicated API if the skill runs as a service). 3. For LLM developers: When invoking external processes, use a library function that handles argument escaping (e.g., `subprocess.run` with `shell=False` and passing arguments as a list, or `shlex.quote` for individual arguments if `shell=True` is unavoidable).	LLM	SKILL.md:20
HIGH	User conversation data sent to external API The skill `conversation_summary.py` sends the full `chat_list` and `history_summary` (which contain user conversation content) to a hardcoded external API endpoint: `https://iautomark.sdm.qq.com/assistant-analyse/v1/assistant/poc/summary/trigger`. This constitutes data exfiltration as sensitive user data is transmitted to a third-party service without explicit user consent or clear disclosure in the skill's description. 1. Obtain explicit user consent before sending any data to external services. 2. Clearly disclose in the skill's manifest and documentation that user conversation data will be sent to `iautomark.sdm.qq.com` for summarization. 3. Consider anonymizing or redacting sensitive information before transmission, if possible. 4. If the external API is not strictly necessary, implement summarization locally or use a trusted, privacy-preserving service.	LLM	scripts/conversation_summary.py:12
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/dadaliu0121/skills-ai-assistant/scripts/conversation_summary.py:8
MEDIUM	Unpinned npm dependency version Dependency 'requests' is not pinned to an exact version ('^2.31.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/dadaliu0121/skills-ai-assistant/package.json
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/dadaliu0121/skills-ai-assistant/package.json
LOW	Unpinned dependency in package.json The `package.json` specifies the `requests` dependency using a caret (`^`) operator: `"requests": "^2.31.0"`. This allows for automatic updates to new minor or patch versions (e.g., `2.32.0`, `2.31.1`) without explicit review. While generally safe, this introduces a slight supply chain risk as a new version could potentially introduce a vulnerability or breaking change. Pin the dependency to an exact version (e.g., `"requests": "2.31.0"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly review and manually update dependencies.	LLM	package.json:9

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d0d78202167ae060.svg)](https://skillshield.io/report/d0d78202167ae060)