Trust Assessment
gitclaw received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via User-Provided Cron Frequency, Workspace Content May Be Publicly Exposed Without Warning.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User-Provided Cron Frequency The skill instructs the agent to ask the user for an optional 'Backup frequency' and then 'convert it to a cron expression' to be used in the `crontab -` command. The skill does not provide any sanitization, validation, or safe conversion logic for this user input. A malicious user could provide a crafted frequency string (e.g., `*; echo "HACKED" >> /tmp/foo #`) which, if directly interpolated into the cron line, would lead to arbitrary command execution on the system when the crontab is updated. The skill should provide explicit, safe logic for converting user-provided frequency into a valid cron expression, ensuring no shell metacharacters or newlines can be injected. This could involve strict validation of the input format or using a dedicated cron expression parser/generator that sanitizes input. Alternatively, restrict frequency options to a predefined safe set. | LLM | SKILL.md:240 | |
| MEDIUM | Workspace Content May Be Publicly Exposed Without Warning The skill's primary function is to back up the agent's workspace (`$HOME/.openclaw/workspace`) to a GitHub repository. It asks the user for repository visibility (`public` or `private`). If the user chooses `public`, all contents of the workspace, including potentially sensitive files, will be pushed to a public GitHub repository. The skill does not provide any mechanism (like a `.gitignore` file) to exclude sensitive files from the backup, nor does it explicitly warn the user about the implications of making their entire workspace public. This could lead to inadvertent exposure of sensitive data. 1. Add a clear warning to the user about the implications of choosing a `public` repository, especially regarding sensitive data in the workspace. 2. Implement a mechanism to allow the user to specify files or patterns to exclude from the backup (e.g., by creating or modifying a `.gitignore` file in the workspace). 3. Consider making `private` the default or strongly recommended option. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/cc8030fbca3cdf4b)
Powered by SkillShield