Security Audit

gh-issues

github.com/openclaw/openclaw

AI SkillCommit b62bd290cb4e

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gh-issues received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 1 critical, 2 high, 2 medium, and 2 low severity. Key findings include Covert behavior / concealment directives, Sensitive environment variable access: $GH_TOKEN, Prompt Injection via GitHub Issue Content.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 54/100, indicating areas for improvement.

Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

98%

Static Code Analysis

54%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

1 finding

Shell Execution

6 findings

Dynamic Code

4 findings

Excessive Permissions

3 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Prompt Injection via GitHub Issue Content The sub-agent's task prompt directly embeds user-controlled content from GitHub issues (title, body, labels) without explicit sanitization or escaping. A malicious actor could craft a GitHub issue with instructions designed to manipulate the sub-agent's behavior, leading to unintended actions, data exfiltration, or arbitrary command execution by overriding the sub-agent's primary directives. Implement robust sanitization or escaping of all user-controlled inputs (`title`, `body`, `labels`) before embedding them into the sub-agent's prompt. Consider using a structured data format for issue details rather than direct text injection into the prompt. Employ prompt injection detection mechanisms to identify and mitigate malicious instructions.	LLM	SKILL.md:250
HIGH	Command Injection via URL Query Parameters The orchestrator constructs `curl` commands for the GitHub API by directly embedding user-provided arguments (`--label`, `--milestone`, `--assignee`) into the URL query parameters. If these arguments contain shell metacharacters or URL-encoded malicious commands, they could break out of the URL context and lead to arbitrary command injection on the host system. All user-provided arguments used in shell commands or URLs must be properly escaped. For URL parameters, use URL encoding. For shell commands, use appropriate quoting or argument arrays to prevent shell metacharacter interpretation.	Static	SKILL.md:100
HIGH	Command Injection via Repository Names The `SOURCE_REPO` and `PUSH_REPO` values are derived from user input (positional argument or `--fork` flag). These values are then used in various shell commands, including `curl` URLs, `git remote set-url`, and to construct the `SOURCE_REPO_SLUG` filename. If a malicious user provides a repository name containing shell metacharacters (e.g., `owner/repo; malicious_command`), it could lead to arbitrary command execution or file system manipulation. Validate and sanitize `owner/repo` inputs to ensure they conform to expected GitHub repository naming conventions and do not contain shell metacharacters. Use proper quoting for variables in shell commands, especially when constructing file paths or URLs.	Static	SKILL.md:160
MEDIUM	Sensitive environment variable access: $GH_TOKEN Access to sensitive environment variable '$GH_TOKEN' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/gh-issues/SKILL.md:9
MEDIUM	Excessive Permissions: Arbitrary Test Execution by Sub-agent The sub-agent is explicitly instructed to 'Discover and run the existing test suite' (Phase 5, step 5 in sub-agent task). This implies the ability to execute arbitrary commands (e.g., `npm test`, `make test`, `pytest`) found within the target repository. If the repository is malicious or compromised, or if the sub-agent is manipulated via prompt injection, this capability could be abused to execute arbitrary code on the host system. While testing is crucial, allowing arbitrary test execution is a high-risk operation. Consider sandboxing the test execution environment more strictly, or requiring explicit user confirmation for running tests, especially for untrusted repositories. Limit the scope of commands that can be executed during testing.	Static	SKILL.md:300
LOW	Covert behavior / concealment directives HTML comment containing suspicious keywords Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users.	Manifest	skills/gh-issues/SKILL.md:624
LOW	Credential Exposure via Git Remote URL The `GH_TOKEN` is embedded directly into the Git remote URL for authentication (`https://x-access-token:$GH_TOKEN@github.com/{PUSH_REPO}.git`). This means the token is passed as part of the command line arguments to `git`. In some environments, command line arguments can be visible to other processes (e.g., via `ps aux`) or stored in shell history/logs, potentially exposing the token to unauthorized access. Prefer using Git credential helpers or environment variables (e.g., `GIT_ASKPASS`) that do not expose the token directly in the command line. If using `x-access-token` in the URL is unavoidable, ensure the execution environment is secured against process snooping and command logging.	Static	SKILL.md:320

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0cd9ae670682a517.svg)](https://skillshield.io/report/0cd9ae670682a517)