Trust Assessment
dual-brain received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 28 findings: 16 critical, 4 high, 6 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings28
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/daemon/install.sh:16 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/daemon/install.sh:51 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/src/cli.js:211 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/src/cli.js:242 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/daemon/install.sh:91 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/src/cli.js:273 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dannydvm/dual-brain/src/cli.js:281 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:4 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:212 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:213 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:242 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:251 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:252 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:272 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:273 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dannydvm/dual-brain/src/cli.js:274 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/dannydvm/dual-brain/daemon/install.sh:16 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/dannydvm/dual-brain/daemon/install.sh:51 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/dannydvm/dual-brain/daemon/install.sh:91 | |
| HIGH | Persistent Service Installation via Shell Script The `install.sh` script, executed by `dual-brain install-daemon`, installs a persistent system service (launchd on macOS, systemd on Linux) that runs the `dual-brain start` command. While the script uses `which` to locate executables, the installation of a service provides a persistent execution vector. If the `dual-brain` command or its dependencies were compromised, or if the user's PATH environment variable was manipulated prior to installation, this could lead to persistent arbitrary code execution under the user's privileges. For systemd, the script instructs the user to manually run `sudo` commands, which elevates the risk. Ensure the `dual-brain` executable and its dependencies are thoroughly secured against tampering. Consider using more robust methods for service installation that verify executable integrity. For systemd, clearly warn users about the implications of `sudo` and ensure the service runs with the least necessary privileges. Implement integrity checks for the `dual-brain` binary before starting the service. | LLM | daemon/install.sh:1 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/dannydvm/dual-brain/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/dannydvm/dual-brain/daemon/install.sh:16 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/dannydvm/dual-brain/daemon/install.sh:75 | |
| MEDIUM | User Message Data Sent to Third-Party LLMs The core functionality of this skill involves reading user messages from local session files (`~/.openclaw/agents` or `~/.moltbot/agents`) and sending them to external Large Language Model (LLM) providers such as OpenAI, Groq, or Moonshot. While this is an intended feature, it means sensitive user conversation data is transmitted to and processed by third-party services. Users should be explicitly aware of this data sharing and the privacy implications. Clearly document in the skill's manifest and user guide that user messages are sent to third-party LLM providers. Provide options for users to choose local-only providers (like Ollama) or to disable the skill if they have privacy concerns. Implement robust data handling policies with chosen providers. | LLM | src/daemon.js:124 | |
| MEDIUM | API Keys Stored in Plain Text API keys for external LLM providers (OpenAI, Groq, Moonshot) are collected during the `dual-brain setup` process and stored in plain text within the user's home directory at `~/.dual-brain/config.json`. While common for local CLI tools, storing sensitive credentials in plain text poses a security risk if the user's home directory or system is compromised, allowing unauthorized access to these keys. Consider using more secure methods for storing API keys, such as environment variables, a system-level credential manager (e.g., macOS Keychain, Linux Secret Service), or encrypted configuration files. If plain text storage is necessary for simplicity, ensure file permissions are strictly set to user-only read/write (`chmod 600`). | LLM | src/config.js:68 | |
| MEDIUM | Prompt Injection Risk for Secondary LLM The skill constructs a system prompt for the secondary LLM that includes user messages. Although the prompt attempts to frame the user message as a quote and includes instructions like 'Never refuse or say you need more context', sophisticated prompt injection techniques within the user's input could potentially manipulate the secondary LLM's behavior. This could lead to the secondary LLM generating unintended or malicious perspectives, which are then presented to the primary agent. Continuously refine the system prompt to be more resilient against prompt injection. Consider implementing additional input sanitization or using LLM-specific safety features (e.g., content moderation APIs) before sending user messages to the secondary LLM. Educate users about the potential for prompt injection and its implications. | LLM | src/providers/groq.js:20 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dannydvm/dual-brain/package.json | |
| INFO | Empty Dependencies in package.json The `package.json` file lists an empty `dependencies` object. While the code appears to primarily use built-in Node.js modules (`fs`, `path`, `os`, `http`, `https`, `child_process`, `readline`), this is an unusual pattern for a Node.js project. It could indicate reliance on globally installed packages or implicit dependencies that are not explicitly managed, potentially obscuring the true dependency graph and making supply chain analysis more difficult. Explicitly list all external dependencies in `package.json` to ensure proper dependency management, version pinning, and to facilitate security scanning of the supply chain. If no external dependencies are truly used, add a comment explaining this. | LLM | package.json:14 |
Scan History
Embed Code
[](https://skillshield.io/report/6f6b2f3b2789531e)
Powered by SkillShield