Trust Assessment
hour-meter received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 0 high, 4 medium, and 2 low severity. Key findings include File read + network send exfiltration, Credential harvesting, Suspicious import: urllib.request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/rm289/hour-meter/scripts/meter.py:34 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/rm289/hour-meter/scripts/meter.py:31 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/rm289/hour-meter/scripts/meter.py:439 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/rm289/hour-meter/scripts/meter.py:570 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rm289/hour-meter/scripts/meter.py:20 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rm289/hour-meter/scripts/sendgrid_webhook.py:37 | |
| MEDIUM | Sensitive PII logged to local file The `sendgrid_webhook.py` script logs all incoming SendGrid event data, including potentially sensitive Personally Identifiable Information (PII) such as recipient email addresses, clicked URLs, and bounce reasons, to a local file (`~/.openclaw/sendgrid-webhook.log`). This log file could become a repository of sensitive user data. If this file is not adequately secured or is accessed by an unauthorized entity, it constitutes a data exfiltration risk. Implement log rotation and access controls for `~/.openclaw/sendgrid-webhook.log`. Consider redacting sensitive fields (like full email addresses or URLs) before logging, or only logging non-PII data. Ensure the log file's permissions are restrictive. | LLM | scripts/sendgrid_webhook.py:49 | |
| MEDIUM | Untrusted input used in formatted messages for agent/Discord The `format_event_message` function constructs messages using untrusted data directly from SendGrid webhook events (e.g., `recipient`, `url`, `reason`). These formatted messages are then sent to external services like Discord or potentially processed by an AI agent (as indicated by `SKILL.md`'s "process events manually (for agent to post)"). If malicious content is present in the SendGrid event data, it could be interpreted as commands, markdown, or instructions by the receiving service (Discord) or the AI agent, leading to prompt injection or unintended actions. For example, a malicious URL or recipient name containing Discord markdown could deface messages, or if fed to an agent, could trigger arbitrary instructions. Sanitize or escape all untrusted input before embedding it into messages sent to Discord or an AI agent. For Discord, this might involve escaping markdown characters. For an AI agent, ensure that the agent's input parsing is robust against malicious instructions embedded in data fields. | LLM | scripts/sendgrid_webhook.py:149 | |
| LOW | Loads sensitive data from .env files into environment The `_load_dotenv()` function attempts to load environment variables from `.env` files located in common user directories (`~/.env`, `/root/.env`, `.env`). While this is a common practice for configuration, it makes any sensitive information (e.g., API keys, tokens) present in these files available in the script's environment. If the script or any downstream process were to inadvertently log or expose its environment variables, this could lead to credential harvesting or data exfiltration. The script itself doesn't appear to exfiltrate these in the provided snippet, but it increases the attack surface. Ensure that sensitive environment variables are handled with extreme care. Avoid logging or printing `os.environ` contents. Consider using more secure methods for secret management, especially in production environments, rather than `.env` files. | LLM | scripts/meter.py:23 | |
| LOW | Unpinned `cryptography` dependency The `sendgrid_webhook.py` script conditionally imports the `cryptography` library for signature verification. However, there is no `requirements.txt` or similar mechanism provided to pin the version of this critical security-related dependency. This could lead to unexpected behavior, compatibility issues, or even security vulnerabilities if a future version of `cryptography` introduces breaking changes or new vulnerabilities, or if a malicious package with the same name is installed. Create a `requirements.txt` file that explicitly lists and pins the version of `cryptography` (e.g., `cryptography==X.Y.Z`). Instruct users to install dependencies using `pip install -r requirements.txt`. | LLM | scripts/sendgrid_webhook.py:20 |
Scan History
Embed Code
[](https://skillshield.io/report/ff1cb70b31b89ef6)
Powered by SkillShield