Security Audit

kilocli-coding-agent

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

kilocli-coding-agent received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection via `bash` tool's `command` argument, Prompt Injection against Kilo CLI via `kilo run`, Command Injection via `tmux send-keys`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

5 findings

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Command Injection via `bash` tool's `command` argument The skill explicitly instructs the LLM to use the `bash` tool, passing a `command` string for direct execution. If the LLM constructs this `command` string using unsanitized user input, it creates a critical command injection vulnerability, allowing arbitrary shell commands to be executed on the host system. Examples include `bash workdir:$SCRATCH background:true command:"<agent command>"` and `bash workdir:~/project background:true command:"kilo run ..."`. Implement robust input sanitization and validation for any user-provided data before it is incorporated into the `command` argument of the `bash` tool. Consider using a more constrained execution environment or a tool that provides better sandboxing for user-controlled commands.	LLM	SKILL.md:16
CRITICAL	Command Injection via `tmux send-keys` The skill demonstrates using `tmux send-keys` to execute commands within a tmux session. The string passed to `send-keys` is directly interpreted as shell commands. If any part of this string, such as issue descriptions or other dynamic content, is derived from unsanitized user input, it creates a critical command injection vulnerability within the tmux session. For example, `tmux -S "$SOCKET" send-keys -t fix-78 "cd /tmp/issue-78 && npm install && kilo run 'Fix issue #78: <description>. Commit and push.'" Enter`. Strictly sanitize and validate any user-provided input before incorporating it into commands sent via `tmux send-keys`. Avoid direct concatenation of untrusted input into shell command strings. If possible, use more secure methods for passing data or commands to isolated environments.	LLM	SKILL.md:105
HIGH	Prompt Injection against Kilo CLI via `kilo run` The skill instructs the LLM to use `kilo run` with a natural language prompt. If this prompt is constructed using unsanitized user input, it can lead to prompt injection against the Kilo CLI agent. This could manipulate the Kilo CLI's behavior, making it perform unintended actions, generate malicious code, or exfiltrate data. Examples include `kilo run "Build a snake game with dark theme"` and `kilo run "Review PR #86. git diff ..."`. Ensure all user-provided input used to construct prompts for `kilo run` is strictly validated and sanitized to prevent malicious instructions from being passed to the Kilo CLI agent. Consider using a fixed set of templates or a dedicated prompt sanitization layer.	LLM	SKILL.md:39
HIGH	Potential Command/Prompt Injection via `process action:write` data The skill instructs the LLM to use `process action:write sessionId:XXX data:"..."` to send input to a running process. If the `data` argument is constructed from unsanitized user input, and the target process interprets this data as commands (e.g., a shell, an interactive program, or another LLM), it could lead to command injection or prompt injection. Ensure all user-provided input used for the `data` argument in `process action:write` is strictly validated and sanitized according to the expected input format of the target process. Avoid passing arbitrary user input directly to interactive processes that might interpret it as commands.	LLM	SKILL.md:25
MEDIUM	Excessive Permissions due to broad tool access The skill inherently requires and instructs the use of powerful system tools like `bash`, `git`, `gh` (GitHub CLI), and `npm`. These tools grant broad access to the filesystem, network, and version control systems. While the skill attempts to mitigate some risks with `workdir` and `mktemp`, the underlying permissions are extensive, increasing the blast radius if other vulnerabilities (like command injection) are exploited. Where possible, consider using more granular tools or APIs instead of direct shell execution. Implement strict access controls and sandboxing for the environment where the agent operates. Regularly review the necessity of each permission granted to the agent.	LLM	SKILL.md:16

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/18f2645e5b3ea160.svg)](https://skillshield.io/report/18f2645e5b3ea160)