Trust Assessment
godot-plugin received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, Node lockfile missing, Local HTTP API vulnerable to session hijacking and data exfiltration via CORS.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Local HTTP API vulnerable to session hijacking and data exfiltration via CORS The `extension/index.ts` file implements a local HTTP server with `Access-Control-Allow-Origin: *`, allowing any website to interact with it. The `getActiveSessionId` function, used by the OpenClaw gateway to determine which Godot session to send commands to, selects the session based on the most recent heartbeat. A malicious website visited by the user could exploit this by:
1. Registering its own session via the `/godot/register` endpoint.
2. Continuously sending heartbeats to its registered session via `/godot/heartbeat`.
This would make the attacker's session appear as the 'active' one. Consequently, any `godot_execute` tool calls made by the LLM would be routed to the attacker's controlled session. This allows the attacker to:
* **Exfiltrate LLM commands**: The attacker receives the `tool` and `arguments` intended for the legitimate Godot editor, revealing the LLM's intent and potentially sensitive operational data.
* **Manipulate LLM state**: The attacker can send arbitrary `result` data back via `/godot/result`, influencing the LLM's understanding of the Godot editor's state and potentially leading to prompt injection if the LLM acts on these fake results.
* **Information Leakage**: The `/godot/status` endpoint, also exposed via CORS, allows an attacker to retrieve project names and versions from legitimate Godot sessions. Restrict `Access-Control-Allow-Origin` to `http://localhost:<port>` or specific trusted origins to prevent cross-origin attacks. Implement stronger session authentication (e.g., a shared secret or token) for all API endpoints, especially `register` and `heartbeat`, to prevent unauthorized session creation and manipulation. Consider a more robust session selection mechanism that doesn't solely rely on heartbeat time, or require explicit user confirmation for new sessions. | LLM | extension/index.ts:109 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tomleelive/openclaw-godot-skill/scripts/install-extension.sh:10 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/tomleelive/openclaw-godot-skill/extension/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/63833560534353cd)
Powered by SkillShield