Trust Assessment
crabwalk received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 5 critical, 1 high, 5 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: Shell RC file modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/luccast/crabwalk/skill.md:11 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/luccast/crabwalk/skill.md:126 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/luccast/crabwalk/skill.md:127 | |
| CRITICAL | Unverified remote code execution during installation The installation script downloads a compressed archive from GitHub via `curl` and pipes it directly to `tar -xz` without any integrity verification (e.g., checksum). This allows for arbitrary code execution if the remote repository or release assets are compromised, leading to a supply chain attack. Implement cryptographic signature verification or checksum validation (e.g., SHA256) for downloaded archives before extraction and execution. Alternatively, use a trusted package manager if available. | LLM | skill.md:7 | |
| CRITICAL | Unverified remote code execution during manual update The manual update script downloads a compressed archive from GitHub via `curl` and pipes it directly to `tar -xz` without any integrity verification (e.g., checksum). This allows for arbitrary code execution if the remote repository or release assets are compromised, leading to a supply chain attack during updates. Implement cryptographic signature verification or checksum validation (e.g., SHA256) for downloaded archives before extraction and execution. | LLM | skill.md:100 | |
| HIGH | Skill requests root privileges (`sudo`) for optional dependency The installation script attempts to install the `qrencode` package using `sudo` with various system package managers (`pacman`, `apt`, `brew`, `dnf`). This instructs the LLM to request and execute commands with root privileges, which is an excessive permission for an optional dependency and poses a significant security risk if the package manager or the package itself is compromised. Avoid using `sudo` within skill instructions. If root privileges are absolutely necessary, clearly separate the `sudo` command and provide explicit warnings and user confirmation steps. For optional dependencies, consider instructing the user to install it manually or provide a non-sudo alternative. | LLM | skill.md:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/luccast/crabwalk/skill.md:11 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/luccast/crabwalk/skill.md:11 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/luccast/crabwalk/skill.md:126 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/luccast/crabwalk/skill.md:127 | |
| MEDIUM | Skill modifies user shell configuration files The installation script appends `export PATH="$HOME/.local/bin:$PATH"` to `~/.bashrc` and/or `~/.zshrc` if `~/.local/bin` is not already in the PATH. While this is a common practice for adding local binaries to the PATH, modifying user configuration files programmatically can be unexpected and could potentially be abused if the injected content were malicious. Inform the user explicitly about the PATH modification and offer to perform it, or provide instructions for manual modification. Ensure the injected content is minimal and safe. | LLM | skill.md:7 | |
| LOW | Update script uses `rm -rf` The manual update script includes `rm -rf ~/.crabwalk/.output`. While likely intended for cleanup of the skill's own temporary files, `rm -rf` is a powerful command that can lead to data loss if the target path is incorrect or manipulated. Ensure that paths used with `rm -rf` are strictly controlled and cannot be influenced by untrusted input. Consider adding a confirmation step for destructive operations. | LLM | skill.md:101 |
Scan History
Embed Code
[](https://skillshield.io/report/ebb0d8d8d9dbbfd3)
Powered by SkillShield