Trust Assessment
everclaw received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Exfiltration of Agent Memory and Identity Files, API Key Transmission to Third-Party Service, Local Storage of API Key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 54/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Exfiltration of Agent Memory and Identity Files The skill is designed to read sensitive local files such as `SOUL.md`, `IDENTITY.md`, `USER.md`, `MEMORY.md`, `memory/*.md`, `TOOLS.md`, and `HEARTBEAT.md`, and then upload their content to a third-party remote service (`https://everclaw.chong-eae.workers.dev`). While this is the intended functionality for backup, it constitutes a direct and continuous data exfiltration mechanism for potentially sensitive user and agent data. Users must be fully aware and explicitly consent to the continuous transfer of their agent's memory and identity data to a third-party service. The skill should clearly articulate the data being transferred and the privacy policy of the remote service. Ensure the remote service's security and privacy practices are thoroughly vetted. | LLM | SKILL.md:40 | |
| HIGH | API Key Transmission to Third-Party Service The skill generates a new `EVERCLAW_API_KEY` locally and then immediately transmits it to the third-party provisioning endpoint (`https://everclaw.chong-eae.workers.dev/v1/provision`). Subsequently, this API key is included in the `Authorization` header for every API request to the remote vault service. This means the sensitive API key is continuously transmitted to a third-party. While this is standard for API authentication, it represents a continuous exposure point to the remote service. Ensure all communications with the remote service are strictly enforced over HTTPS to prevent interception. The skill's description states the key is "never stored on the server — only a hash," which implies the server handles it securely, but the initial transmission and subsequent usage still expose the key to the remote service. Users should be informed about this transmission and the security practices of the remote service. | LLM | SKILL.md:26 | |
| MEDIUM | Local Storage of API Key The generated `EVERCLAW_API_KEY` is stored locally in `~/.openclaw/openclaw.json`. While necessary for the skill's operation, this represents a sensitive credential stored on the local filesystem. If the local environment is compromised, this key could be exfiltrated. Ensure the `~/.openclaw/openclaw.json` file is created with appropriate restrictive file permissions (e.g., `chmod 600`) to prevent unauthorized access by other users or processes on the system. | LLM | SKILL.md:35 | |
| MEDIUM | Broad File System and Command Execution Permissions The skill requires extensive read/write access to multiple `.md` files within the agent's workspace (`SOUL.md`, `IDENTITY.md`, `USER.md`, `MEMORY.md`, `memory/*.md`, `TOOLS.md`, `HEARTBEAT.md`) and to the `~/.openclaw/openclaw.json` configuration file. It also executes external commands like `curl` and `openssl`. While these permissions are required for its intended backup and restore functionality, they grant the skill significant control over the agent's data and environment. The ability to modify `HEARTBEAT.md` also allows it to schedule or alter future agent tasks. Implement a robust sandboxing mechanism for skills to restrict their access to only the absolute minimum necessary resources. Clearly document all required permissions to the user and explain the implications of granting such access. | LLM | SKILL.md:24 | |
| LOW | Potential Command Injection Pattern with `$(whoami)` The skill uses `$(whoami)` within a shell command string to construct a JSON payload for `curl`. While `whoami` is a fixed system command and not user-controlled in this specific instance, this pattern of embedding shell command output directly into a string that is then executed by `curl` (or any other shell command) is a common vector for command injection if any part of the embedded string were to become user-controlled without proper sanitization. Avoid direct embedding of shell command outputs or any potentially untrusted input into command strings. Use parameterized commands or robust escaping/sanitization functions for all external inputs to prevent command injection vulnerabilities. | LLM | SKILL.md:27 |
Scan History
Embed Code
[](https://skillshield.io/report/6c0f5c863d904aac)
Powered by SkillShield