Trust Assessment
janitor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 17 findings: 5 critical, 5 high, 6 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Unsafe deserialization / dynamic eval.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings17
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/sarthib7/janitor/install.sh:155 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/sarthib7/janitor/src/services/github-backup.js:7 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/sarthib7/janitor/src/session-management/archiver.js:11 | |
| CRITICAL | Command Injection via Unsanitized Environment Variables in Shell Scripts The `scripts/pre-start-cleanup.sh` and `install.sh` scripts use environment variables (e.g., `OPENCLAW_HOME`, `SESSION_DIR`, `LOG_FILE`, `ARCHIVE_DIR`) directly in shell commands (`mkdir`, `find`, `tar`, `rm`, `cp`, `chmod`) without sanitizing them for shell metacharacters. While the `validate_path` function checks for path traversal, it does not prevent command injection. An attacker able to control these environment variables could inject arbitrary commands, leading to remote code execution. Environment variables used in shell commands must be thoroughly sanitized for shell metacharacters or, preferably, passed as arguments to commands that handle them safely (e.g., `mkdir -- "$DIR"`). The `validate_path` function should be extended to check for shell metacharacters in addition to path traversal. | LLM | scripts/pre-start-cleanup.sh:20 | |
| CRITICAL | Arbitrary File Read/Write via Unvalidated File Paths in Config Manager CLI The `ConfigManager` class, used by the CLI (`index.js`), allows `exportConfig` and `importConfig` methods to write to and read from arbitrary file paths provided by the user (via CLI arguments). There is no validation to restrict these paths to a safe directory or prevent path traversal. An attacker could use this to read sensitive system files (e.g., `/etc/passwd`) or overwrite critical files (e.g., `/root/.ssh/authorized_keys`). Implement robust path validation using `SecurityUtils.validatePath` or similar logic for `filePath` in `exportConfig` and `importConfig`. Restrict operations to a designated configuration directory. | LLM | src/utils/config-manager.js:89 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/sarthib7/janitor/src/session-management/archiver.js:124 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/sarthib7/janitor/install.sh:155 | |
| HIGH | Command Injection in `GitHubBackup` and `SessionArchiver` via Unsanitized Paths The `GitHubBackup` and `SessionArchiver` classes use `child_process.exec` (via `execAsync`) to run `git` and `tar` commands. Several arguments to these commands, such as `this.config.localPath` (in `GitHubBackup`) and `this.config.archivePath` (in `SessionArchiver`), are user-configurable. While `SecurityUtils.validatePath` is used for path traversal, it does not sanitize these paths for shell metacharacters (e.g., `$(command)`, backticks, semicolons) when they are embedded directly into template literal command strings. An attacker able to control these configuration paths could inject arbitrary shell commands. Use `child_process.spawn` with an array of arguments instead of `exec` with a single command string, as `spawn` does not invoke a shell by default, preventing shell injection. If `exec` must be used, ensure all user-controlled parts of the command string are rigorously sanitized using `SecurityUtils.sanitizeShellArg` and properly quoted. `SecurityUtils.validatePath` should be extended to check for shell metacharacters if paths are used in `exec`. | LLM | src/services/github-backup.js:49 | |
| HIGH | Path Traversal and Arbitrary File Operations via Unvalidated Session Paths The `SessionMonitor` class's `config.sessionPath` (which can be user-controlled via the main `Janitor` config) is used directly in `fs.promises.readdir`, `fs.promises.stat`, and `fs.promises.readFile` to list, read, and get information about session files. Similarly, `SessionPruner` and `EmergencyCleanup` use `fs.promises.unlink` on `session.path` (derived from `SessionMonitor`). If an attacker can set `config.sessionPath` to a malicious path (e.g., `../../../../etc`), they could read arbitrary files or cause arbitrary file deletion outside the intended session directory. `SecurityUtils.validatePath` is not applied to `this.config.sessionPath` before these file system operations. Apply `SecurityUtils.validatePath` to `this.config.sessionPath` immediately after it is set in the `SessionMonitor` constructor, ensuring it is always within the expected base directory. | LLM | src/session-management/monitor.js:20 | |
| HIGH | Server-Side Request Forgery (SSRF) and Data Exfiltration via Unvalidated Webhook URL The `Notifier` class uses `this.config.discord.webhookUrl` directly in `_makeHttpRequest` to send notifications. This URL can be user-controlled via the skill's configuration or environment variables. The `SecurityUtils.validateUrl` function is not applied to this `webhookUrl`. An attacker could configure a malicious `webhookUrl` pointing to an internal network resource or an external attacker-controlled server, forcing the skill to send potentially sensitive notification data (including `title`, `message`, `level`, and `data` from the notification object) to an arbitrary destination. This constitutes a Server-Side Request Forgery (SSRF) vulnerability and a data exfiltration risk. Apply `SecurityUtils.validateUrl` to `this.config.discord.webhookUrl` in the `Notifier` constructor to ensure it points to a legitimate and allowed Discord domain and does not target private IP addresses or localhost. | LLM | src/services/notifier.js:24 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/sarthib7/janitor/src/session-management/analyzer.js:298 | |
| MEDIUM | Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/sarthib7/janitor/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/sarthib7/janitor/install.sh:20 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/sarthib7/janitor/install.sh:155 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/sarthib7/janitor/scripts/pre-start-cleanup.sh:26 | |
| MEDIUM | Storage of API Credentials in `.env` file by `install.sh` The `install.sh` script prompts the user for Telegram Bot Token and Chat ID, then writes these directly into a `.env` file within the skill's directory (`$SKILL_DIR/.env`). While this is a common practice for local development, storing sensitive API credentials in a file, especially one that might be part of a larger workspace, poses a risk if the file permissions are not strictly controlled or if the environment is compromised. This could lead to unauthorized access to the user's Telegram bot. Advise users to secure the `.env` file with appropriate file permissions (e.g., `chmod 600 .env`). Consider using a more secure secrets management solution (e.g., OS-level keyrings, dedicated secrets services) for production environments instead of plain text `.env` files. The installation script should explicitly set restrictive permissions on the `.env` file after creation. | LLM | install.sh:200 | |
| INFO | Supply Chain Risk - Unspecified External Dependency for Globbing The `SKILL.md` documentation mentions 'Cache Cleanup' using glob patterns like `node_modules/.cache/**` and `**/*.cache`. The `janitor.js` file, in its `cleanup` method (not fully provided but implied by documentation), would likely use a globbing library. The `SKILL.md` explicitly states 'No dependencies needed!' and `skill.json` lists no external dependencies. If an external globbing library (e.g., `globby`) is used without being declared in `package.json` or `skill.json`, it represents an undeclared dependency. This can lead to runtime errors if the dependency is not present, or introduce supply chain risks if a manually installed or globally available version is compromised or outdated. If an external globbing library is used, it must be explicitly declared as a dependency in `package.json` (and `skill.json` if applicable) with a pinned version to mitigate supply chain risks. If only Node.js built-in modules are used, clarify how globbing is achieved without external libraries. | LLM | SKILL.md:49 |
Scan History
Embed Code
[](https://skillshield.io/report/29d7b47c59b6823f)
Powered by SkillShield