Security Audit

jules-cli

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

jules-cli received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Command Injection via unsanitized task description in 'jules remote new', Command Injection via unsanitized session ID in 'jules remote pull'.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Shell Execution

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Command Injection via unsanitized task description in 'jules remote new' The skill instructs the LLM to construct a shell command `jules remote new --repo "<repo>" --session "Detailed task description"`. It relies on the LLM to replace `"Detailed task description"` with validated and sanitized user input. Although the skill's 'Security Guidelines' advise 'Sanitization', if the LLM fails to properly sanitize the user-provided task description (e.g., by not escaping quotes or shell metacharacters), an attacker could inject arbitrary shell commands. For example, input like `My task"; rm -rf /; echo "` would lead to command execution. Instruct the LLM to rigorously escape all shell metacharacters (e.g., `"`, `'`, `;`, `&`, `\|`, `$`, `(`, `)`, `` ` ``, `<`, `>`) in user-provided task descriptions before embedding them in the command string. Alternatively, if the `jules` CLI supports it, pass the task description via a temporary file or an environment variable to avoid direct shell interpolation.	LLM	SKILL.md:78
HIGH	Command Injection via unsanitized session ID in 'jules remote pull' The skill instructs the LLM to construct a shell command `jules remote pull --session "<SESSION_ID>" --apply`. It relies on the LLM to replace `"<SESSION_ID>"` with validated and sanitized user input. Although the skill's 'Security Guidelines' advise 'Input Validation' and states that 'Session IDs are alphanumeric (typically hyphens and underscores are also allowed)', if the LLM fails to strictly validate and sanitize the user-provided session ID (e.g., by not escaping quotes or shell metacharacters), an attacker could inject arbitrary shell commands. For example, input like `123"; rm -rf /; echo "` would lead to command execution. Instruct the LLM to rigorously validate that the session ID strictly adheres to the expected alphanumeric format (including hyphens and underscores) and to escape any shell metacharacters (e.g., `"`, `'`, `;`, `&`, `\|`, `$`, `(`, `)`, `` ` ``, `<`, `>`) before embedding it in the command string. Reject any input that does not conform to the expected format.	LLM	SKILL.md:105

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d590944bf1231eec.svg)](https://skillshield.io/report/d590944bf1231eec)