Security Audit

exec-inspector

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

exec-inspector received a trust score of 14/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 2 critical, 2 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Missing required field: name, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

79%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/zhengzk-bj/exec-inspector/SKILL.md:126
CRITICAL	Shell Command Injection via User-Controlled Input to Script The skill instructs the AI to execute `~/.openclaw/scripts/exec-history.sh search XXX` where `XXX` is user-provided input. If `XXX` contains shell metacharacters (e.g., `;`, `\|`, `&`, `$(...)`), an attacker can inject arbitrary shell commands that will be executed by the system. For example, if a user provides `foo; rm -rf /` as the search keyword, the AI would execute `~/.openclaw/scripts/exec-history.sh search foo; rm -rf /`, leading to arbitrary code execution. The `exec-history.sh` script itself uses `$2` (the user input) within a `jq` command, but the primary vulnerability is at the shell execution level when the AI constructs the command. The AI should be instructed to properly sanitize or escape user-provided arguments before constructing and executing shell commands. For instance, use `printf "%q" "$user_input"` to safely quote the input for shell execution, or ensure the AI's command execution mechanism treats arguments as literal strings rather than shell code.	LLM	SKILL.md:20
HIGH	Exposure of Potentially Sensitive Command Arguments and Execution Details The skill's primary function is to read and display `exec` command history from `~/.openclaw/agents/main/sessions/.jsonl`. The command `grep '"name":"exec"' ~/.openclaw/agents/main/sessions/.jsonl \| jq -C '.'` is explicitly provided for '查看完整的 exec 工具调用详情' (View complete exec tool call details). This command outputs the full JSON record of every `exec` call, which can include sensitive information such as API keys, passwords, or file paths if they were passed as command arguments. While the skill includes a '隐私保护' (privacy protection) warning, the AI is instructed to '主动执行' (actively execute) and '美化输出' (beautify output), potentially exposing this sensitive data to the user or other tools if prompted. Implement stricter filtering or redaction of sensitive information from command arguments before displaying them. Instead of dumping the full JSON, extract only necessary and non-sensitive fields by default. Provide a mechanism for users to explicitly request full details with a clear warning, rather than making it a default or easily triggered action.	LLM	SKILL.md:120
HIGH	Potential Shell Command Injection via `exec-monitor-daemon.sh` Calls The skill instructs the AI to execute commands like `~/.openclaw/scripts/exec-monitor-daemon.sh start` or `~/.openclaw/scripts/exec-monitor-daemon.sh tail`. While the examples show fixed arguments, if the AI is prompted to include user-controlled input as arguments (e.g., 'start the monitor with options `foo; rm -rf /`'), it could lead to shell command injection. The `exec-monitor-daemon.sh` script content is not provided, so the exact vulnerability within the script cannot be assessed, but the instruction to execute it with potentially user-controlled arguments creates an injection surface. Ensure that any user-provided arguments passed to `exec-monitor-daemon.sh` are properly sanitized or escaped by the AI before execution. The AI should treat user input as literal strings, not as shell commands.	LLM	SKILL.md:60
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/zhengzk-bj/exec-inspector/SKILL.md:1
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/zhengzk-bj/exec-inspector/SKILL.md:204
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/zhengzk-bj/exec-inspector/SKILL.md:126

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/851ee08513eca963.svg)](https://skillshield.io/report/851ee08513eca963)