Security Audit

flexible-data-importer

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

flexible-data-importer received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 3 medium, and 1 low severity. Key findings include Covert behavior / concealment directives, Missing required field: name, Unpinned npm dependency version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

98%

Static Code Analysis

93%

Dependency Graph

93%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

3 findings

Shell Execution

1 finding

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Skill requests highly privileged Supabase Service Role Key The skill explicitly requires a `supabaseKey` described as a 'Service role key for schema creation.' A Supabase Service Role Key typically grants full administrative access to a Supabase project, including the ability to modify schemas, read/write all data, and manage users. Providing such a highly privileged credential to an AI skill that processes untrusted user input (`filePath`) and has `network: true` permission creates a critical risk. An attacker could potentially exfiltrate this key or use the skill to perform arbitrary malicious operations on the connected Supabase database. Re-evaluate the necessity of a Service Role Key. If schema creation is required, consider using a more granular role with restricted permissions, or implement a secure, isolated mechanism for schema creation that does not expose the service role key to the skill's runtime environment or user input. If possible, use a key with only `anon` or `authenticated` roles for data ingestion, and handle schema changes through a separate, secure process.	LLM	SKILL.md:24
HIGH	Skill can read arbitrary files and send data over network The skill accepts a `filePath` as a required input and declares `filesystem: true` and `network: true` capabilities. This combination allows the skill to read the content of any file accessible to the agent's runtime environment (e.g., `/etc/passwd`, `.env` files, other sensitive data) and potentially exfiltrate that data over the network. While the intended use is for data ingestion, without strict validation and sandboxing of `filePath` and network destinations, this poses a significant data exfiltration risk. Implement robust path validation to restrict `filePath` to expected directories (e.g., a temporary upload directory). Ensure that the skill's network requests are strictly limited to the intended Supabase instance and do not allow arbitrary URLs. Sanitize or validate file content before any network transmission. Consider sandboxing the skill's filesystem access.	LLM	SKILL.md:16
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/sschepis/flexible-data-importer/SKILL.md:1
MEDIUM	Unpinned npm dependency version Dependency '@supabase/supabase-js' is not pinned to an exact version ('^2.39.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/sschepis/flexible-data-importer/package.json
MEDIUM	Untrusted file content used for AI-driven schema inference The skill description states 'AI-driven data ingestion' and 'automatically infers relationships, types, and schema names' from user-provided files (CSV, JSON, XLSX). If the content of these untrusted input files is directly incorporated into prompts for an underlying LLM without proper sanitization or validation, a malicious user could craft file content to perform prompt injection attacks, manipulating the LLM's behavior or extracting sensitive information. Implement strict sanitization and validation of all data extracted from user-provided files before it is used in any LLM prompt. Consider using structured data formats for LLM input rather than raw text, and employ techniques like input/output parsing, privilege separation, and human-in-the-loop verification for critical LLM actions.	LLM	SKILL.md:10
LOW	Covert behavior / concealment directives HTML comment containing suspicious keywords Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	skills/sschepis/flexible-data-importer/SKILL.md:3

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/6aebf8a8cf905545.svg)](https://skillshield.io/report/6aebf8a8cf905545)