Trust Assessment
godaddy received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 4 high, 1 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/rdewolff/godaddy/scripts/godaddy.sh:31 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/rdewolff/godaddy/SKILL.md:13 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/rdewolff/godaddy/scripts/godaddy.sh:18 | |
| HIGH | Command Injection via URL path parameters User-controlled variables (`$domain`, `$type`, `$name`) are directly interpolated into the `endpoint` variable, which is then used in a double-quoted string passed to `curl` as part of the URL. If these variables contain shell metacharacters (e.g., `$(command)`, backticks, newlines), they will be expanded and executed by the shell before `curl` is invoked. This allows an attacker to execute arbitrary commands on the host system. User-provided components of the URL path (`$domain`, `$type`, `$name`) must be properly URL-encoded before being interpolated into the `endpoint` string. This prevents shell expansion and ensures the URL is correctly formed. A robust solution would involve a URL-encoding function for shell scripts. | LLM | scripts/godaddy.sh:30 | |
| HIGH | Command Injection via JSON payload construction User-controlled variables (`$type`, `$name`, `$data`, `$ttl`, `$priority`) are directly interpolated into a JSON string assigned to `json_data`. If these variables contain shell metacharacters (e.g., `$(command)`, backticks, newlines, or unescaped double quotes), they will be expanded and executed by the shell during the variable assignment. This allows an attacker to execute arbitrary commands on the host system. Additionally, unescaped double quotes or backslashes would lead to malformed JSON, potentially causing API errors or unexpected behavior. All user-provided values (`$type`, `$name`, `$data`, `$ttl`, `$priority`) that are embedded into the `json_data` string must be properly JSON-encoded to prevent both shell injection and JSON syntax errors. Tools like `jq` can be used for safe JSON construction in shell scripts (e.g., `jq -n --arg type "$type" --arg name "$name" --arg data "$data" --argjson ttl "$ttl" --argjson priority "$priority" '[{type: $type, name: $name, data: $data, ttl: $ttl, priority: $priority}]'`). | LLM | scripts/godaddy.sh:130 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/rdewolff/godaddy/scripts/godaddy.sh:9 |
Scan History
Embed Code
[](https://skillshield.io/report/41e98faed982471c)
Powered by SkillShield