Trust Assessment
doctor-acid received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Direct Prompt Injection via Agent Messaging, Potential Credential Exposure via Prompt Injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Prompt Injection via Agent Messaging The skill explicitly allows users to send arbitrary natural language messages to the AI agent via the `openclaw claw-fm message` command and other configuration options. The agent is designed to interpret and act upon these instructions to generate music, configure its style, and potentially interact with external services. This direct messaging capability creates a severe prompt injection vulnerability, enabling an attacker to manipulate the agent's behavior, bypass its intended persona, or coerce it into performing unauthorized actions, including data exfiltration or financial manipulation if combined with other vulnerabilities. Implement robust input sanitization and validation for all user-provided messages and configuration parameters that influence the LLM's prompt. Consider using a separate, sandboxed LLM for interpreting user commands, or restrict the agent's ability to act on sensitive instructions received directly from user messages. Implement guardrails to prevent the agent from revealing its system prompt, API keys, or performing unauthorized wallet operations based on user input. | LLM | SKILL.md:190 | |
| HIGH | Potential Credential Exposure via Prompt Injection The skill's configuration (`config.json`) explicitly uses API keys (e.g., `${SUNO_API_KEY}`) for music generation services. The agent also has 'Automatic wallet connection' for earning USDC. Given the critical prompt injection vulnerability, an attacker could potentially instruct the agent to reveal these API keys, wallet addresses, or other sensitive configuration details. The `openclaw claw-fm validate-keys` command also implies the agent has access to these credentials, making them a target for exfiltration. Ensure API keys and sensitive credentials are not directly accessible or revealable by the LLM. Implement a secure secrets management system that provides credentials to the underlying execution environment without exposing them to the LLM's context. Restrict the agent's ability to output or transmit any sensitive configuration data or API keys. Implement strict access controls and logging for credential usage. | LLM | SKILL.md:108 | |
| HIGH | Excessive Wallet Permissions with Autonomous Operation The agent is configured with 'Automatic wallet connection' and the ability to 'submit tracks to claw.fm for streaming and earnings', implying direct interaction with a blockchain wallet. While `auto_withdraw` is set to `false` by default, the agent still possesses the capability to perform transactions (e.g., submitting tracks, receiving funds). Combined with the prompt injection vulnerability, an attacker could potentially manipulate the agent to perform unauthorized wallet operations beyond its intended scope, such as transferring funds or approving malicious contracts, even if direct withdrawal is disabled. Implement granular access controls for wallet interactions, ensuring the agent only has the minimum necessary permissions (e.g., only to receive funds, not to initiate transfers). All wallet operations should require explicit human approval or be strictly limited by smart contract logic. Regularly audit the agent's wallet activity and implement transaction monitoring for suspicious patterns. Re-evaluate the necessity of 'Automatic wallet connection' for submission if it grants broader permissions than required. | LLM | SKILL.md:70 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/alienpingu/doctor-acid/SKILL.md:1 | |
| MEDIUM | Unpinned Third-Party Dependencies The skill instructs users to install third-party npm packages (`riffusion-api`, `@suno-ai/sdk`, `udio-sdk`) without specifying exact versions. This practice of using unpinned dependencies introduces a supply chain risk, as future installations could pull in new, potentially vulnerable, or even malicious versions of these packages. An attacker could compromise a package maintainer's account or publish a typosquat package, leading to arbitrary code execution on the user's system. Pin all third-party dependencies to specific, known-good versions (e.g., `npm install riffusion-api@1.2.3`). Use a dependency lock file (e.g., `package-lock.json`) to ensure deterministic installations. Regularly audit and update dependencies to patch known vulnerabilities, but always with version pinning. | LLM | SKILL.md:125 |
Scan History
Embed Code
[](https://skillshield.io/report/4b60506e3fa75a79)
Powered by SkillShield