Security Audit

identity-manager

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

identity-manager received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 3 critical, 0 high, 2 medium, and 2 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

100%

Dependency Graph

91%

LLM Behavioral Safety

61%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

4 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/autogame-17/identity-manager/auto_scan.js:3
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/autogame-17/identity-manager/auto_scan.js:28
CRITICAL	Command Injection via unsanitized external input The `auto_scan.js` script constructs a shell command using `execSync` and directly interpolates `group.chat_id` into it. The `group.chat_id` variable is obtained from the JSON output of another script (`group-intel/fetch.js`). If the `group-intel/fetch.js` script is compromised or returns a maliciously crafted `chat_id` (e.g., containing shell metacharacters like `"; rm -rf /; echo "`), it could lead to arbitrary command execution on the host system. Although the `chat_id` is enclosed in double quotes, a sophisticated attacker can still break out of these quotes in a shell context. Avoid using `execSync` with string interpolation for arguments. Instead, use `child_process.spawn` or `child_process.execFile` with an array of arguments, which prevents shell interpretation of the arguments. Alternatively, strictly sanitize `group.chat_id` to ensure it contains only expected characters (e.g., alphanumeric, hyphens, underscores) before using it in a shell command.	LLM	auto_scan.js:60
MEDIUM	Unpinned npm dependency version Dependency 'fs-extra' is not pinned to an exact version ('^11.2.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/autogame-17/identity-manager/package.json
MEDIUM	Excessive Filesystem Access to Shared Memory Directory Multiple scripts (`auto_scan.js`, `index.js`, `search.js`, `sync.js`) access `../../memory/user_registry.json`. This path resolves to a directory outside the skill's immediate scope, implying read/write access to a shared `memory` directory. While this might be intentional for inter-skill data sharing, it grants the skill broader filesystem permissions than necessary if the `memory` directory contains other sensitive data not intended for this skill. A compromised skill could potentially read, modify, or delete data belonging to other skills or the agent's internal state stored in this shared location. If possible, restrict file access to within the skill's own dedicated storage directory. If shared storage is essential, ensure the `memory` directory is strictly controlled, contains only non-sensitive or explicitly shared data, and consider implementing platform-level access controls to limit what skills can access within it.	LLM	auto_scan.js:7
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/autogame-17/identity-manager/package.json
LOW	Unpinned Dependency in package.json The `package.json` file specifies the `fs-extra` dependency with a caret (`^`) version range (`^11.2.0`). This allows for automatic updates to minor and patch versions. While convenient, it introduces a supply chain risk where a malicious update to `fs-extra` or any of its transitive dependencies could be automatically pulled in, potentially compromising the skill without explicit review. This is a common practice but a known security risk. Pin dependencies to exact versions (e.g., `"fs-extra": "11.2.0"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly audit and manually update dependencies after reviewing their changes and security advisories.	LLM	package.json:7

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a1b82d4d93b8bb41.svg)](https://skillshield.io/report/a1b82d4d93b8bb41)