Security Audit

fail2ban-reporter

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

fail2ban-reporter received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via User-Controlled Jail Name.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Command Injection via User-Controlled Jail Name The `report-banned.sh` script uses a user-controlled variable `$JAIL` directly within a `sudo fail2ban-client status "$JAIL"` command. If a malicious user provides a jail name containing shell metacharacters (e.g., `sshd; rm -rf /`), it could lead to arbitrary command execution with root privileges, as `fail2ban-client` is executed via `sudo`. Sanitize the `$JAIL` variable to ensure it only contains valid characters for a fail2ban jail name (e.g., using a regular expression to allow only alphanumeric characters, hyphens, and underscores). Alternatively, use `printf %q` to properly quote the argument before passing it to `fail2ban-client`.	LLM	scripts/report-banned.sh:15
CRITICAL	Command Injection via User-Controlled Jail Name The `stats.sh` script uses a user-controlled variable `$JAIL` directly within a `sudo fail2ban-client status "$JAIL"` command. If a malicious user provides a jail name containing shell metacharacters (e.g., `sshd; evil_command`), it could lead to arbitrary command execution with root privileges, as `fail2ban-client` is executed via `sudo`. Sanitize the `$JAIL` variable to ensure it only contains valid characters for a fail2ban jail name (e.g., using a regular expression to allow only alphanumeric characters, hyphens, and underscores). Alternatively, use `printf %q` to properly quote the argument before passing it to `fail2ban-client`.	LLM	scripts/stats.sh:19

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0a47ddd345f3853f.svg)](https://skillshield.io/report/0a47ddd345f3853f)