Security Audit

db-backup

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

db-backup received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 3 critical, 2 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Missing required field: name, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

71%

Dependency Graph

100%

LLM Behavioral Safety

25%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/sa9saq/db-backup/SKILL.md:62
CRITICAL	Command Injection via unsanitized user input in generated scripts The skill instructs the LLM to generate shell scripts using user-provided inputs such as database names, connection details, and backup directories. The example script snippets show direct interpolation of variables like `DB` and `BACKUP_DIR` into shell commands (e.g., `pg_dump -Fc "$DB"`, `mysqldump ... "$DB"`, `sqlite3 "$DB_FILE" ".backup '$BACKUP_DIR/...'`). If the LLM does not rigorously sanitize these user inputs to escape shell metacharacters (e.g., `;`, `\|`, `&`, `$()`, `` ` ``), a malicious user can inject arbitrary shell commands that will be executed with the privileges of the user running the agent. Instruct the LLM to implement robust sanitization for all user-provided inputs (database names, paths, connection details, retention, schedule) before embedding them into generated shell scripts. This includes escaping shell metacharacters, validating input formats, and potentially whitelisting allowed characters. For paths, ensure they are canonicalized and restricted to safe locations.	LLM	SKILL.md:22
CRITICAL	Command Injection via unsanitized script path in crontab entry The skill instructs the LLM to set up a cron job using a user-provided script path (`/path/to/backup.sh`) and log path (`/path/to/backup.log`). If the LLM directly interpolates user input for these paths into the `crontab` command without proper sanitization, a malicious user could inject arbitrary shell commands into the cron entry, leading to persistent command execution. Instruct the LLM to rigorously sanitize and validate the script and log file paths provided by the user before embedding them into the `crontab` command. Paths should be canonicalized, restricted to safe directories, and all shell metacharacters must be escaped. Consider generating a fixed, agent-controlled path for the backup script and log, rather than allowing full user control.	LLM	SKILL.md:56
HIGH	Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/sa9saq/db-backup/SKILL.md:62
HIGH	Data Exfiltration risk through user-specified backup directory The skill allows the user to specify the `BACKUP_DIR` for sensitive database backups. While the default is `~/backups/db/`, a malicious user could provide a path to a publicly accessible directory (e.g., a web server's document root) or a network share, leading to the exposure or exfiltration of sensitive database contents. The skill also mentions "For remote storage: pipe to `aws s3 cp` or `rclone copy`", which, if implemented based on user input, could facilitate exfiltration to arbitrary remote locations. Instruct the LLM to validate and restrict the `BACKUP_DIR` to a set of safe, non-public, and agent-controlled directories. If remote storage is offered, ensure that the LLM only uses pre-configured, secure destinations or requires explicit user confirmation for new destinations, and that credentials for remote storage are handled securely (e.g., via IAM roles or secure configuration, not direct user input).	LLM	SKILL.md:18
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/sa9saq/db-backup/SKILL.md:1
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/sa9saq/db-backup/SKILL.md:16

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9aad19986ed9589f.svg)](https://skillshield.io/report/9aad19986ed9589f)