Security Audit

headless-vault-cli

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

headless-vault-cli received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 0 critical, 6 high, 1 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Sensitive environment variable access: $HOME, Command Injection via unencoded path in create/append.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

2 findings

Shell Execution

7 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Manifest	skills/logancyang/headless-vault-cli/vault.sh:68
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Manifest	skills/logancyang/headless-vault-cli/vault.sh:74
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Manifest	skills/logancyang/headless-vault-cli/vault.sh:98
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Manifest	skills/logancyang/headless-vault-cli/vault.sh:115
HIGH	Command Injection via unencoded path in create/append The `vault.sh` script's `create` and `append` commands pass the `path` argument directly to the remote `vaultctl` command without base64 encoding it, despite the `SKILL.md` documentation explicitly stating that paths should be base64 encoded for these operations. This creates a command injection vulnerability. If a malicious user provides a `path` containing shell metacharacters (e.g., `'; rm -rf /;'`), these could be executed on the remote machine via SSH, leading to arbitrary code execution. Modify the `create` and `append` handlers in `vault.sh` to base64 encode the `path` argument and include the `--base64` flag when calling `vaultctl`, consistent with the `SKILL.md` documentation and the implementation of `resolve`, `info`, and `read` commands. For example: ```bash create) # ... argument parsing ... encoded_path=$(printf '%s' "$path" \| base64) encoded_content=$(printf '%s' "$content" \| base64) run_vaultctl create "$encoded_path" "$encoded_content" --base64 ;; ``` This ensures that special characters in the path are safely transmitted and decoded by `vaultctl` on the remote side, preventing shell injection.	LLM	vault.sh:100
HIGH	Command Injection via unencoded path in create/append The `vault.sh` script's `create` and `append` commands pass the `path` argument directly to the remote `vaultctl` command without base64 encoding it, despite the `SKILL.md` documentation explicitly stating that paths should be base64 encoded for these operations. This creates a command injection vulnerability. If a malicious user provides a `path` containing shell metacharacters (e.g., `'; rm -rf /;'`), these could be executed on the remote machine via SSH, leading to arbitrary code execution. Modify the `create` and `append` handlers in `vault.sh` to base64 encode the `path` argument and include the `--base64` flag when calling `vaultctl`, consistent with the `SKILL.md` documentation and the implementation of `resolve`, `info`, and `read` commands. For example: ```bash append) # ... argument parsing ... encoded_path=$(printf '%s' "$path" \| base64) encoded_content=$(printf '%s' "$content" \| base64) run_vaultctl append "$encoded_path" "$encoded_content" --base64 ;; ``` This ensures that special characters in the path are safely transmitted and decoded by `vaultctl` on the remote side, preventing shell injection.	LLM	vault.sh:119
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/logancyang/headless-vault-cli/vault.sh:21

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/718bd7c2df17bb9e.svg)](https://skillshield.io/report/718bd7c2df17bb9e)