Trust Assessment
dashboard received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 3 critical, 4 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/joetomasone/dashboard/SKILL.md:120 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/joetomasone/dashboard/src/app.py:54 | |
| CRITICAL | Dashboard designed to run with root privileges The `setup.sh` script uses `sudo` for dependency installation. More critically, the `SKILL.md` documentation and the `systemd` service configuration explicitly suggest or configure the dashboard to run with root privileges (`WorkingDirectory=/root/clawd-dashboard`, `Environment=CLAWD_WORKSPACE=/root/clawd`, `ExecStart=/usr/bin/python3 app.py`). Running a web application, especially one that processes user input and executes external commands (`clawdbot`), as root is a severe security risk. A compromise of the dashboard could lead to full system compromise. The dashboard and the agent should run as a dedicated, unprivileged user. Avoid `sudo` for application-specific installations. Update the `systemd` service to use `User=` and `Group=` directives for a non-root user. Change the default `CLAWD_WORKSPACE` to a user-owned directory. | LLM | SKILL.md:120 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_agent_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/joetomasone/dashboard/src/app.py:54 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/joetomasone/dashboard/SKILL.md:120 | |
| HIGH | Potential `sed` command injection via `DASHBOARD_PORT` environment variable The `setup.sh` script uses `sed -i "s/port=5050/port=$PORT/" "$DASHBOARD_DIR/app.py"` to dynamically update the `app.py` file. The `$PORT` variable is user-controlled via the `DASHBOARD_PORT` environment variable. If `$PORT` contains characters that are special to `sed` (e.g., `/`, `&`, `\`), an attacker could inject arbitrary `sed` commands, potentially modifying `app.py` in malicious ways or executing other commands. Avoid dynamic modification of code files with user-controlled input. Instead, pass the port as a command-line argument to `app.py` (e.g., `python3 app.py --port $PORT`) or read the `DASHBOARD_PORT` environment variable directly within `app.py`. If `sed` must be used, properly escape the `$PORT` variable for `sed` context, or use a different delimiter that is guaranteed not to appear in the port number (e.g., `sed -i "s|port=5050|port=$PORT|" ...`). | LLM | setup.sh:46 | |
| HIGH | Dashboard lacks authentication and warns against public exposure The `SKILL.md` explicitly states: "Dashboard has **no authentication** by default" and "Do NOT expose to public internet without adding auth." This means that if the dashboard is exposed to any network beyond `localhost` without additional security measures (like a VPN, Tailscale, or an external proxy with authentication), any user on that network can access and modify all tasks, notes, and view agent status and logs. Given the `systemd` service runs as root, this could expose sensitive agent operational data and allow unauthorized control over tasks. While the skill warns the user, the lack of built-in authentication makes it inherently insecure for anything but a strictly isolated environment. Implement a robust authentication mechanism (e.g., API key, OAuth, basic auth) within the Flask application if the dashboard is intended for use beyond `localhost` or trusted private networks. Alternatively, clearly document and enforce the use of external authentication proxies (e.g., Nginx with basic auth) for any non-local deployments. | LLM | SKILL.md:130 | |
| MEDIUM | Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/joetomasone/dashboard/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/joetomasone/dashboard/setup.sh:8 | |
| MEDIUM | `subprocess.run` call to external `clawdbot` command The `app.py` uses `subprocess.run(['clawdbot', 'status', '--json'])` to execute an external command. While the arguments are hardcoded, the `clawdbot` executable itself is resolved via the system's `PATH` environment variable. If an attacker can manipulate the `PATH` or place a malicious executable named `clawdbot` in a directory that precedes the legitimate `clawdbot` in the `PATH`, they could achieve arbitrary command execution. This risk is elevated given the dashboard is configured to run as root. Use the absolute path to the `clawdbot` executable (e.g., `/usr/local/bin/clawdbot`) to prevent `PATH` manipulation. Ensure the `clawdbot` executable and its directory are properly secured with appropriate permissions. | LLM | src/app.py:49 |
Scan History
Embed Code
[](https://skillshield.io/report/311dca9f004801a2)
Powered by SkillShield