Security Audit

kameo

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

kameo received a trust score of 34/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 11 findings: 3 critical, 2 high, 4 medium, and 1 low severity. Key findings include Potential hardcoded secret (high entropy), Sensitive environment variable access: $USER, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

72%

Dependency Graph

98%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

5 findings

Excessive Permissions

1 finding

Security Findings11

Severity	Finding	Layer	Location
CRITICAL	Command Injection via unsanitized DIALOGUE in enhance_prompt.sh The `DIALOGUE` variable, which is user-controlled input, is directly interpolated into an embedded Python script within a heredoc. If `DIALOGUE` contains shell command substitution syntax (e.g., `$(command)` or `` `command` ``), the shell will execute the embedded command before the Python script runs, leading to arbitrary command execution. Sanitize the `$DIALOGUE` variable before embedding it into the Python script. For example, pass it as an argument to the Python script and use `sys.argv` to retrieve it, or escape shell metacharacters if direct interpolation is unavoidable.	LLM	scripts/enhance_prompt.sh:46
CRITICAL	Command Injection via unsanitized IMAGE_PATH in generate_video.sh The `IMAGE_PATH` variable, which is user-controlled input, is directly interpolated into a command substitution `$(base64 ... "$IMAGE_PATH" ...)`. If `IMAGE_PATH` contains shell command substitution syntax (e.g., `$(command)` or `` `command` ``), the shell will execute the embedded command before the `base64` command is invoked, leading to arbitrary command execution. Ensure `$IMAGE_PATH` is properly sanitized or validated to prevent shell metacharacters from being interpreted as commands. Consider using a safer method to pass the filename to `base64`, or explicitly escaping shell-active characters.	LLM	scripts/generate_video.sh:45
CRITICAL	Command Injection via unsanitized EMAIL/PASSWORD in register.sh (curl -d) The `EMAIL` and `PASSWORD` variables, which are user-controlled input, are directly interpolated into the `curl -d` argument. If these variables contain shell command substitution syntax (e.g., `$(command)` or `` `command` ``), the shell will execute the embedded command before `curl` is invoked, leading to arbitrary command execution. This affects both the signup and login API calls. Sanitize `$EMAIL` and `$PASSWORD` variables to prevent shell metacharacters from being interpreted. A robust solution would be to use a tool like `jq -Rs .` to properly JSON-encode the values before embedding them into the `curl -d` argument, or use a dedicated HTTP client library in a safer language.	LLM	scripts/register.sh:28
HIGH	JSON Injection via unsanitized ASPECT_RATIO in generate_video.sh The `ASPECT_RATIO` variable, which is user-controlled input, is directly interpolated into a JSON string within a heredoc without proper escaping. A malicious user could inject arbitrary JSON keys or values by crafting the `ASPECT_RATIO` input (e.g., `9:16", "malicious_key": "injected_value`). This could lead to unexpected behavior or data manipulation on the API server. Sanitize the `$ASPECT_RATIO` variable using `jq -Rs .` before embedding it into the JSON payload, or validate it against a whitelist of allowed aspect ratios.	LLM	scripts/generate_video.sh:48
HIGH	JSON Injection via unsanitized EMAIL in register.sh (credentials.json) The `EMAIL` variable, which is user-controlled input, is directly interpolated into a JSON string within a heredoc when writing to `~/.config/kameo/credentials.json`. A malicious user could inject arbitrary JSON keys or values by crafting the `EMAIL` input (e.g., `test@example.com", "malicious_key": "injected_value`). This could lead to corrupted configuration or unexpected behavior when the credentials file is parsed. Sanitize the `$EMAIL` variable using `jq -Rs .` before embedding it into the JSON payload for `credentials.json`.	LLM	scripts/register.sh:70
MEDIUM	Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.00) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values.	Static	skills/veya2ztn/kameo-free/SKILL.md:32
MEDIUM	Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.00) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values.	Static	skills/veya2ztn/kameo-free/SKILL.md:38
MEDIUM	Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.00) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values.	Static	skills/veya2ztn/kameo-free/SKILL.md:98
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/veya2ztn/kameo-free/scripts/register.sh:34
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/veya2ztn/kameo-free/package.json
INFO	Placeholder for sensitive API keys in register.sh The `SUPABASE_URL` and `SUPABASE_ANON_KEY` variables are defined as placeholders (`YOUR_PROJECT.supabase.co`, `YOUR_SUPABASE_ANON_KEY`). If a user replaces these with real values, the script will send user-provided email and password to the configured Supabase instance. While this is the intended functionality for registration, it represents a sensitive operation where user credentials are sent to an external service. Users should be aware of who controls the Supabase instance they are connecting to. Add clear warnings in the script's comments or documentation about the sensitive nature of providing `SUPABASE_URL` and `SUPABASE_ANON_KEY`, and advise users to only use trusted Supabase instances. Consider using environment variables for these sensitive keys instead of hardcoding them, even as placeholders.	LLM	scripts/register.sh:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8a33fbfe3118394c.svg)](https://skillshield.io/report/8a33fbfe3118394c)