Security Audit

line-bridge-shrimp

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

line-bridge-shrimp received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 3 critical, 1 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Command Injection via execSync with unsanitized user input.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/stu24801/line-bridge-shrimp/index.js:5
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/stu24801/line-bridge-shrimp/index.js:54
CRITICAL	Command Injection via execSync with unsanitized user input The skill uses `child_process.execSync` to execute a shell command constructed with user-provided message text (`event.message.text`) and environment variables (`CLAWDBOT_BIN`, `LINE_BRIDGE_PATH`). The sanitization `formattedMsg.replace(/'/g, '')` is insufficient to prevent shell metacharacters (e.g., backticks, `$()`, semicolons, newlines) from being injected, allowing an attacker to execute arbitrary commands on the host system. Furthermore, the `CLAWDBOT_BIN` and `LINE_BRIDGE_PATH` environment variables, if controlled by an attacker, can be used to execute malicious binaries or hijack the execution path. Avoid using `execSync` with user-controlled input. If external process execution is strictly necessary, use `child_process.spawn` or `child_process.execFile` with a fixed command and arguments passed as an array, not a single string, to prevent shell interpretation. Thoroughly sanitize all user input before passing it to any shell command. Restrict the `CLAWDBOT_BIN` and `LINE_BRIDGE_PATH` environment variables to trusted values or hardcode the path to `clawdbot` if possible, and ensure the `PATH` used for `execSync` does not include attacker-controlled directories.	LLM	index.js:40
HIGH	Unauthenticated Internal API Endpoint The skill exposes an `/internal/send` POST endpoint that allows sending arbitrary messages (text or image) to any LINE `target` ID. This endpoint lacks any form of authentication or authorization, meaning any entity capable of making an HTTP request to the skill's exposed port can abuse this functionality to send spam, phishing messages, or other malicious content via the configured LINE channel. Implement robust authentication and authorization mechanisms for the `/internal/send` endpoint. This could involve API keys, token-based authentication, or IP whitelisting, depending on the deployment environment and security requirements. Ensure this endpoint is only accessible from trusted internal services or networks, and not exposed directly to the public internet.	LLM	index.js:56
MEDIUM	Unpinned npm dependency version Dependency '@line/bot-sdk' is not pinned to an exact version ('^10.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/stu24801/line-bridge-shrimp/package.json
MEDIUM	Arbitrary File Read via LINE_BRIDGE_CONFIG_DIR environment variable The skill reads sensitive configuration files (`.line_token`, `.line_secret`, `.line_allowed_sources`) from a directory specified by `process.env.LINE_BRIDGE_CONFIG_DIR` (or `process.env.HOME` or `/tmp`). If an attacker can manipulate the `LINE_BRIDGE_CONFIG_DIR` environment variable, they could force the skill to read arbitrary files on the system. While the content of these files is not directly exfiltrated by this specific code path, the ability to read arbitrary files can be a precursor to data exfiltration, especially when combined with other vulnerabilities like command injection. Restrict the `LINE_BRIDGE_CONFIG_DIR` environment variable to a fixed, secure, and non-user-writable directory. If dynamic configuration paths are necessary, implement strict validation to ensure the path is within an allowed directory or whitelist specific file names. Ensure the skill runs with the principle of least privilege, limiting its ability to read files outside its designated configuration directory.	LLM	index.js:13

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/88497631a6a3097c.svg)](https://skillshield.io/report/88497631a6a3097c)