Trust Assessment
diarybeast received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Skill requires 'exec' tool, enabling arbitrary command execution, 'open' command used with externally sourced variable, risking command injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill requires 'exec' tool, enabling arbitrary command execution The skill's manifest explicitly declares a requirement for the 'exec' tool. This grants the AI agent the ability to execute arbitrary shell commands on the host system. This is a severe security risk, as a compromised skill or a malicious prompt could lead to full system compromise, data exfiltration, or denial of service. The presence of 'exec' permission makes all shell commands within the skill, including `curl`, `echo`, `jq`, `mkdir`, and `open`, potential vectors for command injection if their arguments are not strictly controlled. Re-evaluate the necessity of the 'exec' tool. If shell commands are required, consider using more constrained tools or APIs that limit the scope of execution (e.g., specific HTTP client tools instead of generic `curl` via `exec`). If `exec` is absolutely necessary, implement strict input validation and sanitization for all arguments passed to shell commands. | LLM | package.json:8 | |
| HIGH | 'open' command used with externally sourced variable, risking command injection The skill uses `open "$MAGIC_LINK"` where `$MAGIC_LINK` is derived from an external API response. If the external API is compromised or if an attacker can manipulate the `RESPONSE` variable (e.g., via prompt injection before `jq` parsing), a malicious URL or local file path could be injected. On systems like macOS, `open` can execute arbitrary commands or open sensitive local files, leading to command injection or data exfiltration. Avoid using `open` with unvalidated external input. If opening URLs is necessary, ensure the URL is strictly validated against a whitelist of allowed domains or protocols. Consider using a dedicated browser tool that isolates web content from the agent's environment. | LLM | SKILL.md:35 | |
| MEDIUM | Authentication token and address stored persistently on local filesystem The skill saves the authentication token (`$TOKEN`) and user address (`$ADDRESS`) to files in `~/.openclaw/workspace/skills/diarybeast/`. While this provides persistence, it creates a persistent target for other potentially malicious skills or compromised parts of the agent's environment. If another skill gains `exec` or filesystem access, these credentials could be easily exfiltrated. Store sensitive credentials in a secure, encrypted key management system or use short-lived tokens that require re-authentication. If local storage is unavoidable, ensure strict file permissions are set (e.g., `chmod 600`) and consider encrypting the stored data. | LLM | SKILL.md:28 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dxdleady/diary-beast/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/5a5d100536137214)
Powered by SkillShield