Trust Assessment
flock-model-switcher received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Potential Command Injection via User-Provided Model ID, Excessive Permissions Implied by Shell Command Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User-Provided Model ID The skill's 'Switch Procedure' explicitly instructs the execution of shell commands, including `openclaw agent --model flock/<model-id>`. The `<model-id>` is derived directly from user input (either by selecting a number or providing a model name). If this user input is not properly sanitized before being interpolated into the shell command, a malicious user could inject arbitrary shell commands. For example, providing a model ID like `flock/some-model; rm -rf /` could lead to severe system compromise. Implement robust input sanitization for the `<model-id>` parameter before it is used in shell commands. Ensure that no special characters (e.g., semicolons, backticks, dollar signs, parentheses, quotes) that could alter command execution are passed directly. Ideally, use an API or library function for model switching that does not involve direct shell command interpolation of user-controlled strings, or strictly validate the model ID against a known whitelist of allowed values. | LLM | SKILL.md:69 | |
| HIGH | Excessive Permissions Implied by Shell Command Execution The skill is designed to execute `openclaw` commands, specifically `openclaw agent --model`, `openclaw gateway stop`, and `openclaw gateway`. These commands imply significant control over the agent's configuration and runtime environment. While the exact permissions of the `openclaw` utility are not defined within this skill, the ability to restart a 'gateway' and change the 'agent model' suggests a broad scope of control. This broad access, especially when combined with the potential for command injection (SS-CMD-001), elevates the risk of compromise. Review the underlying permissions granted to the `openclaw` utility and the environment in which this skill operates. Ensure that the principle of least privilege is applied, limiting the `openclaw` commands to only what is strictly necessary for the skill's function. If possible, use more granular APIs instead of shell commands, or run the skill in a highly sandboxed environment. | LLM | SKILL.md:69 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/createpjf/flock-model-switcher/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/dd16016f27d55c37)
Powered by SkillShield