Security Audit

craft-do

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

craft-do received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Shell Command Injection via Unescaped Argument in 'find', JSON Injection via Unescaped Variable in 'create_folder'.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

10%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

3 findings

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Shell Command Injection via Unescaped Argument in 'find' The `migrate-obsidian.sh` and `migrate-obsidian-nested.sh` scripts use the `OBSIDIAN_VAULT` variable, taken directly from a command-line argument (`$1`), within a `find` command. Although the variable is double-quoted, modern shells (like bash) still perform command substitution (`$(...)`) and arithmetic expansion (`$((...))`) within double quotes. This allows an attacker to inject arbitrary shell commands by providing a malicious `OBSIDIAN_VAULT` path, e.g., `$(evil_command)`. Sanitize or validate the `OBSIDIAN_VAULT` argument to ensure it does not contain shell metacharacters or command substitutions. A safer approach might involve using `printf %q` for shell-safe quoting if the path needs to be passed to other shell commands, or strictly validating the input as a valid file path before use.	LLM	migrate-obsidian-nested.sh:30
CRITICAL	JSON Injection via Unescaped Variable in 'create_folder' In `migrate-obsidian.sh`, the `create_folder` function constructs a JSON payload for the Craft.do API by directly embedding the `$folder_name` variable into a JSON string without proper escaping. If `$folder_name` contains double quotes or other JSON-breaking characters, it can lead to malformed JSON, causing the API request to fail or, in a more sophisticated attack, allowing injection of arbitrary JSON fields to manipulate the API call's intent. Always escape user-provided or untrusted string inputs before embedding them into JSON payloads. Use a tool like `jq -Rs .` to properly JSON-encode the `$folder_name` variable, similar to how `title_json` and `content` are handled in the `create_document` function.	LLM	migrate-obsidian.sh:90
HIGH	JSON Injection via Unescaped Arguments in 'craft-api.sh' Commands The `craft-api.sh` script directly embeds command-line arguments (`$2`, `$3`, etc.) into JSON strings within `curl -d` payloads for commands like `create-doc`, `create-task`, `complete-task`, and `move`. If these arguments contain double quotes or other JSON-breaking characters, it can lead to malformed JSON, causing API requests to fail or potentially allowing injection of arbitrary JSON fields to alter the API call's intent. Always escape user-provided or untrusted string inputs before embedding them into JSON payloads. Use a tool like `jq -Rs .` to properly JSON-encode the command-line arguments before constructing the JSON string. This issue affects `create-doc`, `create-task`, `complete-task`, and `move` commands.	LLM	craft-api.sh:62
HIGH	Excessive Permissions: Destructive Cleanup Script The `cleanup-craft.sh` script is designed to perform highly destructive operations: deleting all user-created folders and moving all documents to trash. While it includes a `read -p` confirmation, an automated AI agent might bypass this prompt or be configured to automatically confirm, leading to unintended and irreversible data loss in the Craft.do account. This represents an excessive permission scope for a skill that could be invoked without explicit human oversight. For highly destructive operations, consider implementing stronger safeguards for AI agents, such as requiring explicit human approval via an external mechanism, or making the script an 'opt-in' feature that requires a specific, non-default configuration to enable. Ensure the AI agent is designed to handle interactive prompts appropriately, or that such scripts are not executable by default in an automated context.	LLM	cleanup-craft.sh:10
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/atomtanstudio/craft-do/SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/21ac4e7f095149c8.svg)](https://skillshield.io/report/21ac4e7f095149c8)