Security Audit

freelance-invoice

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

freelance-invoice received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 0 critical, 3 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Potential Command Injection via `node -e`, Potential Command Injection via `wkhtmltopdf`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

41%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

5 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
HIGH	Potential Command Injection via `node -e` The skill instructs the LLM to execute a `node -e` command, which runs arbitrary JavaScript code via the shell. If any part of the command string, including file paths or content, is dynamically constructed from untrusted user input, an attacker could inject malicious shell commands or JavaScript code, leading to arbitrary code execution on the host system. Avoid direct shell execution of dynamically constructed commands. If shell execution is unavoidable, use a dedicated, sandboxed environment and strictly validate and sanitize all inputs to prevent injection. Consider using a library that provides safer APIs for PDF generation without direct shell calls.	LLM	SKILL.md:39
HIGH	Potential Command Injection via `wkhtmltopdf` The skill instructs the LLM to execute `wkhtmltopdf` via the shell. If the `invoice.html` or `invoice.pdf` file paths are dynamically constructed from untrusted user input, an attacker could inject malicious shell metacharacters, leading to arbitrary command execution on the host system. Avoid direct shell execution of dynamically constructed commands. If shell execution is unavoidable, use a dedicated, sandboxed environment and strictly validate and sanitize all inputs to prevent injection. Ensure file paths are generated securely and not directly from user input.	LLM	SKILL.md:49
HIGH	Puppeteer Sandbox Disabled (`--no-sandbox`) The Puppeteer command explicitly uses the `--no-sandbox` argument. Running Chromium/Chrome without a sandbox significantly increases the risk of compromise. If malicious HTML or JavaScript is rendered (e.g., via an XSS vulnerability), it could potentially escape the browser process and execute arbitrary code on the host system with the permissions of the user running the skill. Remove the `--no-sandbox` argument. Ensure Puppeteer runs in a properly sandboxed environment. If a sandboxed environment is not feasible, consider alternative PDF generation methods or strictly isolate the execution environment.	LLM	SKILL.md:42
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/sa9saq/freelance-invoice/SKILL.md:1
MEDIUM	Potential Arbitrary File Read via `fs.readFileSync` The `node -e` command uses `fs.readFileSync('invoice.html','utf8')` to read the HTML content. If an attacker can manipulate the LLM to change the `invoice.html` filename to an arbitrary path (e.g., `/etc/passwd` or environment variable files), this could lead to the exfiltration of sensitive local files. Ensure that file paths used for reading are strictly controlled and not derived from untrusted input. Use a temporary, isolated directory for generated files and enforce strict naming conventions.	LLM	SKILL.md:44
MEDIUM	Unsanitized User Input Leading to XSS in Generated PDF The skill explicitly states "Sanitize all user input before embedding in HTML to prevent XSS," acknowledging the risk. However, the instructions do not provide a concrete sanitization mechanism or enforce its use. If user-provided data (e.g., client name, item descriptions, notes) is directly embedded into the generated HTML without proper escaping, it could lead to Cross-Site Scripting (XSS) vulnerabilities within the PDF viewer or the rendering engine (Puppeteer/wkhtmltopdf). This could allow an attacker to execute arbitrary JavaScript, potentially leading to data exfiltration or other malicious actions. Implement and enforce a robust HTML sanitization library or method that the LLM must use for all user-provided content before embedding it into the invoice HTML. This should go beyond simple escaping and actively filter out malicious tags and attributes.	LLM	SKILL.md:85

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a90e44e37c337b8a.svg)](https://skillshield.io/report/a90e44e37c337b8a)