Trust Assessment
deck-tracker received a trust score of 28/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: Shell RC file modification, Recommended workflow uses command substitution vulnerable to injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/skanderhelali/openclaw-deck-tracker/SKILL.md:19 | |
| CRITICAL | Recommended workflow uses command substitution vulnerable to injection The 'AI Protocol: Complex Descriptions' section recommends using `deck update <id> --description "$(cat /tmp/deck_desc_<id>.txt)"`. If the `<id>` variable is derived from untrusted input, an attacker can inject arbitrary shell commands. For example, if `<id>` is crafted as `$(malicious_command)`, then `malicious_command` will be executed by the shell before the `deck` command is invoked. This allows for arbitrary code execution on the host system. Avoid using command substitution (`$()`) with untrusted input. Instead, the `deck` tool should be designed to accept file paths (e.g., `--description-file /tmp/deck_desc_<id>.txt`) or read content from standard input for large descriptions, ensuring that arguments are properly escaped and not interpreted as shell commands. Additionally, ensure that the `<id>` used for temporary file names is sanitized to prevent path traversal or other file system manipulation. | LLM | SKILL.md:133 | |
| HIGH | Skill provides command to dump all completed tasks, risking data exfiltration The `deck dump-done` command is described as outputting 'the JSON payload for all cards in "Done Today"'. This command provides a direct mechanism to extract potentially sensitive information (e.g., task details, logs, internal notes, or even credentials if mistakenly stored in descriptions) from the NextCloud Deck board. If the LLM processes this output, sensitive data could be inadvertently exposed or exfiltrated to the LLM provider or other services. Implement strict data handling policies for the output of `deck dump-done`. Ensure that the LLM is not permitted to process or transmit sensitive information from this output without explicit user consent and redaction. Consider redacting or sanitizing the output before it is presented to the LLM or stored in memory. If possible, the `deck` tool should offer more granular control over what data is dumped or provide options to redact sensitive fields. | LLM | SKILL.md:95 | |
| HIGH | `deck monitor` spawns background processes and sends chat notifications The `deck monitor` command is described as 'Spawns a background process' and 'sends a chat notification to the specified `target_id`'. Spawning background processes grants the skill significant system interaction capabilities, which could be abused for arbitrary command execution if `card_id` or `target_id` are not properly sanitized and are used in the spawned command. Sending chat notifications implies network access and interaction with external services, which could be leveraged for data exfiltration or further command injection if `target_id` can be manipulated to point to malicious endpoints or inject commands into the chat system. Review the implementation of `deck monitor` to ensure that `card_id` and `target_id` are strictly validated and sanitized before being used in any shell commands or network requests. Limit the scope of the background process and the chat notification mechanism to prevent arbitrary command execution or data exfiltration. Consider if such broad capabilities are truly necessary for the skill's intended function and implement least privilege principles. | LLM | SKILL.md:88 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/skanderhelali/openclaw-deck-tracker/SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/61277b1ed3512581)
Powered by SkillShield