Security Audit

jasper-configguard

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

jasper-configguard received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 9 findings: 3 critical, 2 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Missing required field: name, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

10%

Static Code Analysis

93%

Dependency Graph

98%

LLM Behavioral Safety

56%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

1 finding

Excessive Permissions

3 findings

Security Findings9

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/emberdesire/jasper-configguard/src/index.js:9
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/emberdesire/jasper-configguard/src/index.js:227
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/emberdesire/jasper-configguard/src/index.js:270
HIGH	Arbitrary File Read via user-controlled paths The `jasper-configguard patch --file <path>` and `jasper-configguard validate <path>` commands allow an attacker to specify an arbitrary file path. The tool then reads the content of this file using `fs.readFileSync`. While `patch` attempts to parse it as JSON and `validate` reports on JSON validity, the ability to read any file on the system (e.g., `/etc/passwd`, `/proc/self/environ`, `.ssh/id_rsa`) constitutes a significant data exfiltration vulnerability. Even if the file is not valid JSON, an error message might reveal partial content or confirm existence. Implement strict validation and sanitization for file paths provided by user input. Restrict file access to a predefined, secure directory or use a whitelist of allowed files. For `patch --file`, ensure the file is within an expected configuration directory. For `validate`, consider if validating arbitrary files is truly necessary or if it should be restricted to known config files.	LLM	cli/configguard.js:136
HIGH	Arbitrary File Write via user-controlled config path The `jasper-configguard --config <path>` argument allows an attacker to specify an arbitrary path for the `openclaw.json` configuration file. The `ConfigGuard` class then uses this `configPath` for all read/write operations (`_readConfig`, `_writeConfig`, `_createBackup`, `_restoreBackup`). If an attacker can control the `configPath` to point to a sensitive system file (e.g., `/etc/cron.d/malicious_job`, `/etc/profile.d/malicious.sh`, or a web server's configuration file), and then uses the `patch` command with malicious JSON, they could write arbitrary content to that file. This could lead to privilege escalation, persistent command execution, or denial of service, especially if the tool is run with elevated privileges (e.g., `sudo`). Restrict the `--config` argument to only allow paths within a predefined, secure configuration directory (e.g., `~/.openclaw/`). Do not allow arbitrary file paths. If the tool must operate on different config files, implement a whitelist or strict validation to ensure paths are not outside expected boundaries.	LLM	src/index.js:24
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/emberdesire/jasper-configguard/SKILL.md:1
MEDIUM	Unrestricted `execSync` call for gateway restart The `_restartGateway()` function uses `child_process.execSync('openclaw restart', { stdio: 'inherit' })`. While the command itself is hardcoded and does not directly incorporate user input, the use of `execSync` is generally discouraged due to its blocking nature and potential for command injection if any part of the command string were to become user-controlled (e.g., through environment variables that `openclaw` might interpret). More importantly, this command runs with the full privileges of the `jasper-configguard` process. If `jasper-configguard` is run with elevated privileges (e.g., `sudo`), then `openclaw restart` also executes with those privileges, which could be exploited if `openclaw` itself has vulnerabilities or if its execution environment can be manipulated. If possible, replace `execSync` with a safer alternative like `child_process.spawn` or `child_process.execFile` with a fixed command and arguments, which prevents shell interpretation. Ensure that the `openclaw` command itself is robust against environment variable manipulation. If the tool requires elevated privileges, consider using a more granular privilege management system or a dedicated service account with minimal necessary permissions.	LLM	src/index.js:119
MEDIUM	Potential Server-Side Request Forgery (SSRF) via `gatewayUrl` The `ConfigGuard` class makes HTTP requests to `this.gatewayUrl` for health checks. While the default is `http://localhost:18789`, the `gatewayUrl` can be set via the `options` object passed to the `ConfigGuard` constructor. Although the CLI does not directly expose a flag for `gatewayUrl`, if the `ConfigGuard` library is used programmatically in an environment where an attacker can control the `options` object, they could direct the tool to make requests to internal network resources or other external services. This could be used for port scanning, accessing internal APIs, or bypassing firewalls. If `gatewayUrl` is not intended to be user-configurable, remove it from the constructor options or make it a private internal variable. If it must be configurable, implement strict validation to ensure the URL points only to allowed hosts (e.g., `localhost` or specific internal IPs/domains) and protocols.	LLM	src/index.js:26
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/emberdesire/jasper-configguard/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/67d585e6708b8314.svg)](https://skillshield.io/report/67d585e6708b8314)