Trust Assessment
event-watcher received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 5 critical, 5 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Credential harvesting, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/solitaire2015/event-watcher/scripts/watcher.py:155 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/solitaire2015/event-watcher/scripts/watcher.py:200 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/solitaire2015/event-watcher/scripts/watcher.py:248 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/solitaire2015/event-watcher/scripts/watcher.py:438 | |
| CRITICAL | Prompt Injection via Untrusted Event Payload The skill constructs messages for the 'openclaw agent' by directly templating untrusted event payloads. While a 'do not follow instructions' preamble is added, LLMs are known to sometimes ignore such directives, allowing an attacker to inject malicious instructions into the agent's prompt. The skill explicitly acknowledges event payloads as untrusted but relies on a header as the primary defense, which is insufficient against sophisticated prompt injection. Implement robust sanitization of all user-controlled data within the event payload before it is used in the message template. Consider using a templating engine with strict auto-escaping or a dedicated LLM-aware sanitization library to prevent instruction injection. The option to disable the safety preamble (`wake.add_source_preamble: false`) should be removed or heavily restricted. | LLM | scripts/watcher.py:280 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_to_openclaw'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/solitaire2015/event-watcher/scripts/watcher.py:155 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_agent'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/solitaire2015/event-watcher/scripts/watcher.py:200 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_message'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/solitaire2015/event-watcher/scripts/watcher.py:248 | |
| HIGH | Arbitrary File Write via Webhook Bridge The `scripts/webhook_bridge.py` script allows an attacker to specify an arbitrary file path via the `--path` command-line argument or the `EVENT_WATCHER_WEBHOOK_LOG` environment variable. This enables appending untrusted JSON data to any file on the system, potentially leading to data corruption, denial of service, or staging data for exfiltration. If an attacker can control the execution arguments or environment of this script, they can write to sensitive system files. Restrict the `--path` argument and the `EVENT_WATCHER_WEBHOOK_LOG` environment variable to a specific, secure, and non-sensitive directory. Implement strict path validation to ensure that writes only occur within an allowed sandbox. Avoid allowing arbitrary file paths from user-controlled input or environment variables. | LLM | scripts/webhook_bridge.py:37 | |
| HIGH | Persistent Prompt Injection and Data Staging via Webhook Log File Untrusted webhook payloads are written directly to a log file (`webhook_events.jsonl`) by `scripts/webhook_bridge.py`. This file is subsequently read by `scripts/watcher.py`, and its contents (including the untrusted payload) are used in templates for LLM prompts. This creates a persistent prompt injection vector, as malicious instructions can be stored and repeatedly fed to the LLM. Additionally, this mechanism could be used to stage sensitive data within the log file for later exfiltration if other vulnerabilities exist. Sanitize the `payload` data before writing it to the `webhook_events.jsonl` file, especially if it is intended for LLM consumption. Ensure that any data written to log files that might be processed by an LLM is stripped of potential instruction-like patterns or sensitive information. Implement strict access controls on log files to prevent unauthorized reading or modification. | LLM | scripts/webhook_bridge.py:37 | |
| MEDIUM | Unpinned Python dependency version Requirement 'redis' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/solitaire2015/event-watcher/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pyyaml' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/solitaire2015/event-watcher/scripts/requirements.txt:2 |
Scan History
Embed Code
[](https://skillshield.io/report/1ca4b3ce5057c857)
Powered by SkillShield