Trust Assessment
foundry received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary Code Execution via `foundry_extend_self` `toolCode`, Broad Self-Modification and Code Generation Capabilities, Untrusted Code Ingestion from Marketplace and External Sources.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via `foundry_extend_self` `toolCode` The `foundry_extend_self` tool explicitly allows the agent to add new capabilities to itself by directly accepting `toolCode` as a string. The provided example `toolCode: "const res = await fetch(...)"` demonstrates that this parameter accepts arbitrary JavaScript code. Given that the skill's manifest requires the `node` binary, this code will be executed in a Node.js environment, enabling arbitrary command injection and potential system compromise. While the skill mentions blocking `child_process` and `eval` as mitigations, this is a blacklist approach and the fundamental capability to execute arbitrary code remains, posing a severe security risk. Redesign `foundry_extend_self` to use a safer, declarative configuration format for new tools instead of directly accepting executable code. If code generation is absolutely necessary, implement a robust allowlist-based sandbox, strict input validation, and mandatory human review for *all* generated code before execution or deployment. Ensure the execution environment is maximally sandboxed and operates with the principle of least privilege. | LLM | SKILL.md:109 | |
| HIGH | Broad Self-Modification and Code Generation Capabilities The skill's core functionality involves extensive self-modification and code generation, including the ability to 'Write Extensions,' 'Tools,' 'Hooks,' and 'Skills,' and to 'Self-Modify' itself. Tools like `foundry_write_extension`, `foundry_write_skill`, `foundry_add_tool`, and `foundry_extend_self` grant the agent broad permissions to generate and write executable code to the filesystem (e.g., `~/.openclaw/extensions/foundry/`). This capability, especially when combined with the ability to execute arbitrary code, presents a significant attack surface. A compromised agent could write malicious code, modify existing functionality, or introduce backdoors into the system. Implement a strict permissions model for code generation and modification. All generated code should undergo automated security analysis (static and dynamic) and mandatory human review before being written to disk or executed. Limit the scope of what the agent can modify or generate to predefined, safe templates or configurations, rather than arbitrary code. | LLM | SKILL.md:60 | |
| HIGH | Untrusted Code Ingestion from Marketplace and External Sources The skill introduces significant supply chain risks through its ability to 'Search, browse, and install community abilities' via `foundry_marketplace` and to 'Learn from arXiv papers' and 'GitHub repos' via its `sources` configuration. Ingesting or executing code/patterns from untrusted or unvetted external content (community abilities, GitHub code, research papers) can introduce malicious code or instructions into the agent's operational context. This could lead to the execution of compromised code, data exfiltration, or system compromise if malicious content is learned or installed. Implement rigorous vetting, sandboxing, and isolation for all external content, especially community abilities and code from GitHub. Ensure that any 'learned' patterns or code are thoroughly sanitized, reviewed, and executed in an isolated, least-privileged environment. Provide clear warnings to users about the risks of installing unvetted community content. | LLM | SKILL.md:40 | |
| MEDIUM | Potential Data Exfiltration through Marketplace Publishing The `foundry_publish_ability` tool allows the agent to 'Publish pattern/skill to Foundry Marketplace.' If the 'learned patterns' or 'skills' inadvertently contain sensitive user data, proprietary information, or internal system details, publishing them to a public marketplace constitutes a data exfiltration risk. While `marketplace.autoPublish` is `false` by default, a user or a malicious prompt could enable it or explicitly invoke the publishing tool, leading to unintended disclosure of sensitive information. Implement strict data sanitization and review processes for any content before it is published to the marketplace. Ensure that the agent is explicitly prevented from including sensitive information in patterns or skills intended for public sharing. Provide clear warnings and require explicit user confirmation before publishing any content to the marketplace. | LLM | SKILL.md:94 |
Scan History
Embed Code
[](https://skillshield.io/report/1186e65f14328466)
Powered by SkillShield