Security Audit

holyspiritos

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

holyspiritos received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 4 medium, and 1 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

79%

Dependency Graph

100%

LLM Behavioral Safety

76%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

4 findings

Security Findings6

Severity	Finding	Layer	Location
HIGH	Remote script execution via curl \| bash for uninstallation The uninstallation instructions in SKILL.md advise users to execute a remote script directly from GitHub via `curl -s ... \| bash`. This practice is highly dangerous as it allows arbitrary code execution from a remote source without prior review or verification. If the GitHub repository or the specific script is compromised, an attacker could execute malicious code on the user's system with the user's permissions. Advise users to download the uninstallation script, review its contents, and then execute it locally. Alternatively, include the uninstallation script directly within the skill package to ensure it's part of the trusted distribution.	LLM	SKILL.md:50
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/maxsikorski/holyspiritos/SKILL.md:1
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/maxsikorski/holyspiritos/scripts/install.sh:9
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/maxsikorski/holyspiritos/scripts/install.sh:10
MEDIUM	Remote file download without integrity verification The `install.sh` script downloads `verses-1769.json` and `layout-1769.json` from a remote GitHub repository using `wget`. There is no integrity check (e.g., checksum verification) performed on these downloaded files. If the remote repository is compromised, or if there's a man-in-the-middle attack, malicious or corrupted files could be downloaded and used by the AI agent, potentially leading to unexpected behavior or security issues. Implement checksum verification (e.g., SHA256) for downloaded files. The expected checksums should be hardcoded in the `install.sh` script or provided via a trusted channel, and the script should verify the downloaded files against these checksums before proceeding.	LLM	scripts/install.sh:27
LOW	Direct modification of LLM's core configuration (soul.md) The `install.sh` script directly appends a block of text (`SOUL_PATCH`) to the `soul.md` file, which is described as the AI's core identity/configuration. While the content of this specific patch is intended for alignment and appears benign, the mechanism demonstrates the ability of a skill to directly inject instructions and modify the host LLM's foundational prompt. This is an intended feature of the skill, aligning with its declared `write_config` permission, but it highlights a potential attack vector if a malicious skill were to gain similar permissions and inject harmful or manipulative instructions. Ensure that the `write_config` permission is carefully reviewed and granted only to trusted skills. For skills that modify `soul.md`, consider implementing stricter content validation or sandboxing for the injected text, or requiring explicit user confirmation for such modifications.	LLM	scripts/install.sh:44

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5989784eb5cbbff8.svg)](https://skillshield.io/report/5989784eb5cbbff8)