Security Audit

cwicr-historical-cost

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cwicr-historical-cost received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Unrestricted file export capability, Unrestricted database save capability.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Filesystem Write

2 findings

Excessive Permissions

2 findings

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/datadrivenconstruction/cwicr-historical-cost/SKILL.md:1
MEDIUM	Unrestricted file export capability The `export_historical_data` method allows writing the skill's data to an arbitrary file path (`output_path`) provided by the caller. If an LLM agent or user provides an untrusted path, this could lead to overwriting sensitive system files, writing to unauthorized locations, or exfiltrating data by saving it to a publicly accessible directory. Implement strict path validation and sanitization for `output_path`. Restrict file write operations to a designated, secure directory (e.g., a sandbox or temporary directory) and prevent writing to arbitrary system paths. Avoid allowing untrusted input to directly control file paths.	LLM	SKILL.md:250
MEDIUM	Unrestricted database save capability The `save_database` method allows writing the skill's internal database to an arbitrary file path (`filepath`) provided by the caller. If an LLM agent or user provides an untrusted path, this could lead to overwriting sensitive system files, writing to unauthorized locations, or exfiltrating data by saving it to a publicly accessible directory. Implement strict path validation and sanitization for `filepath`. Restrict file write operations to a designated, secure directory (e.g., a sandbox or temporary directory) and prevent writing to arbitrary system paths. Avoid allowing untrusted input to directly control file paths.	LLM	SKILL.md:288

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8d752fd446802541.svg)](https://skillshield.io/report/8d752fd446802541)