Trust Assessment
daily-review received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 3 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $SLACK_TOKEN.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/henrino3/daily-review/scripts/daily-review.sh:86 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/henrino3/daily-review/scripts/daily-review.sh:86 | |
| CRITICAL | Remote Command Injection via Unsanitized Date Argument The script directly uses the unsanitized first argument (`$1`) as the `DATE` variable, which is then passed without proper escaping to a remote Python script executed via SSH. An attacker can inject arbitrary shell commands by providing a malicious date string (e.g., `2023-01-01; rm -rf /`) as the first argument, leading to remote code execution on the `henrymascot@100.86.150.96` machine. Sanitize or validate the `$1` input before assigning it to `DATE`. When passing arguments to remote commands via SSH, use a method that properly escapes or quotes the arguments, or pass them via standard input if possible. For example, use `printf '%q' "$DATE"` for shell escaping or ensure the Python script explicitly handles arguments safely. | LLM | scripts/daily-review.sh:105 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/henrino3/daily-review/scripts/daily-review.sh:76 | |
| HIGH | Hardcoded Credentials for X.com (Bird CLI) The script hardcodes sensitive credentials (`AUTH_TOKEN` and `CT0` for X.com/Bird CLI) directly within the shell script. This is a severe security risk as these secrets are exposed in plain text within the codebase, making them vulnerable to discovery and misuse. The `SKILL.md` suggests reading these from `~/clawd/secrets/bird.env`, but the script overrides this by hardcoding them. Remove hardcoded credentials. Read `AUTH_TOKEN` and `CT0` from the designated secrets file (`~/clawd/secrets/bird.env`) as intended by the `SKILL.md` documentation. Ensure secrets files have appropriate file permissions. | LLM | scripts/daily-review.sh:37 | |
| HIGH | jq Command Injection via Unsanitized Date Variable The `DATE` variable, derived from unsanitized user input (`$1`), is directly interpolated into a `jq` filter string without proper escaping. An attacker could inject malicious `jq` syntax (e.g., by including `"` characters) into the `DATE` variable, potentially manipulating the JSON processing logic, exposing data, or causing unexpected behavior. Sanitize the `DATE` variable before interpolating it into the `jq` filter. A robust solution would involve passing the date as a `jq` variable using `--arg` or `--argjson` to prevent injection, e.g., `jq --arg date "$DATE" '... select(.dateString | startswith($date)) ...'`. | LLM | scripts/daily-review.sh:59 | |
| MEDIUM | Sensitive environment variable access: $SLACK_TOKEN Access to sensitive environment variable '$SLACK_TOKEN' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/henrino3/daily-review/scripts/daily-review.sh:24 | |
| MEDIUM | Excessive Permissions: Remote SSH Execution The skill utilizes SSH to execute commands on a remote machine (`henrymascot@100.86.150.96`). While necessary for its functionality (e.g., Screen Time, ActivityWatch), granting a skill the ability to execute arbitrary commands on a remote host via SSH represents a significant privilege. If the skill's execution environment or its inputs are compromised, this could lead to unauthorized remote access and control. Minimize the scope of remote execution. If possible, use more granular remote APIs instead of direct SSH command execution. If SSH is unavoidable, ensure the SSH user has the principle of least privilege applied, and consider using SSH forced commands to restrict what can be executed. Implement strict input validation for any arguments passed to remote commands. | LLM | scripts/daily-review.sh:35 | |
| INFO | Supply Chain Risk: Unpinned External Dependencies The `SKILL.md` instructs users to clone a Git repository (`https://github.com/steipete/bird.git`) and run `npm install` without specifying exact versions or commit hashes. This introduces a supply chain risk, as a compromise of the upstream repository or a malicious package update could introduce vulnerabilities or malware into the skill's dependencies. Pin dependencies to specific versions or commit hashes. For Git repositories, specify a commit hash (e.g., `git clone <repo> <dir> && cd <dir> && git checkout <commit_hash>`). For `npm`, use `npm ci` with a `package-lock.json` or specify exact versions in `package.json`. | LLM | SKILL.md:69 |
Scan History
Embed Code
[](https://skillshield.io/report/5d1ac4751c6378cf)
Powered by SkillShield