Trust Assessment
lingzhu received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 3 critical, 5 high, 0 medium, and 3 low severity. Key findings include Network egress to untrusted endpoints, Node lockfile missing, Undeclared `commander` dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 5acc5677). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/endlessjour9527/rokid/extension/index.ts:94 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/endlessjour9527/rokid/extension/src/cli.ts:33 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/endlessjour9527/rokid/extension/src/http-handler.ts:117 | |
| HIGH | Undeclared `commander` dependency The `extension/src/cli.ts` file imports types from the `commander` package, indicating its use. However, `commander` is not listed in the `dependencies` section of either `package.json` file. This can lead to runtime errors if `commander` is not globally available or installed in the execution environment, and makes the skill's dependency tree opaque, hindering security audits and reproducibility. Add `"commander": "^X.Y.Z"` to the `dependencies` section of the `package.json` file, replacing `X.Y.Z` with the appropriate version range. | LLM | package.json | |
| HIGH | Authentication key (`authAk`) logged to console/stdout The `activeAuthAk`, which serves as a Bearer Token for authentication with the Lingzhu platform, is explicitly logged to `logger.info` and `console.log` in `extension/index.ts` during plugin startup. This poses a significant data exfiltration risk, as system logs or standard output streams are often accessible and may not have the same security controls as configuration files or environment variables. Redact or mask the `authAk` when logging. For example, log only a hash or the last few characters, or use a debug-level log that is typically not enabled in production. Ensure that `console.log` statements for sensitive data are removed or replaced with secure logging practices. | LLM | extension/index.ts:100 | |
| HIGH | Authentication key (`authAk`) logged to console/stdout The `activeAuthAk`, which serves as a Bearer Token for authentication with the Lingzhu platform, is explicitly logged to `logger.info` and `console.log` in `extension/index.ts` during plugin startup. This poses a significant data exfiltration risk, as system logs or standard output streams are often accessible and may not have the same security controls as configuration files or environment variables. Redact or mask the `authAk` when logging. For example, log only a hash or the last few characters, or use a debug-level log that is typically not enabled in production. Ensure that `console.log` statements for sensitive data are removed or replaced with secure logging practices. | LLM | extension/index.ts:107 | |
| HIGH | Authentication key (`authAk`) logged to console/stdout via CLI command The `authAk`, which serves as a Bearer Token for authentication with the Lingzhu platform, is explicitly logged to `console.log` in `extension/src/cli.ts` when the `lingzhu info` command is executed. This poses a significant data exfiltration risk, as standard output streams are often accessible and may not have the same security controls as configuration files or environment variables. Redact or mask the `authAk` when logging. For example, log only a hash or the last few characters, or use a debug-level log that is typically not enabled in production. Ensure that `console.log` statements for sensitive data are removed or replaced with secure logging practices. | LLM | extension/src/cli.ts:40 | |
| HIGH | Authentication key (`authAk`) logged to console/stdout via CLI command The `authAk`, which serves as a Bearer Token for authentication with the Lingzhu platform, is explicitly logged to `console.log` in `extension/src/cli.ts` when the `lingzhu info` command is executed. This poses a significant data exfiltration risk, as standard output streams are often accessible and may not have the same security controls as configuration files or environment variables. Redact or mask the `authAk` when logging. For example, log only a hash or the last few characters, or use a debug-level log that is typically not enabled in production. Ensure that `console.log` statements for sensitive data are removed or replaced with secure logging practices. | LLM | extension/src/cli.ts:44 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/endlessjour9527/rokid/extension/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/endlessjour9527/rokid/package.json | |
| LOW | LLM-generated tool call arguments are JSON parsed and used directly The skill receives tool call arguments (`tc.function.arguments`) directly from the OpenClaw LLM's response. These arguments are then `JSON.parse`d and their values are used to populate properties of a `LingzhuToolCall` object, which is subsequently sent to the Lingzhu platform. While `JSON.parse` itself is generally safe against arbitrary code execution in JavaScript, a maliciously crafted JSON string from a compromised or jailbroken LLM could potentially lead to unexpected data structures, resource exhaustion, or, more critically, if the *Lingzhu platform* then executes commands based on these unvalidated string values, it could become a command injection vulnerability on that platform. This skill acts as a conduit for potentially untrusted data from the LLM to another system. Implement robust validation and sanitization of all fields within the `args` object after `JSON.parse`, especially if these values are passed to external systems or used in sensitive operations. Ensure that the Lingzhu platform also performs strict validation and sanitization of incoming tool call arguments before execution. Consider adding schema validation for the parsed `args` object. | LLM | extension/src/transform.ts:108 |
Scan History
Embed Code
[](https://skillshield.io/report/0040bec9bb374f6b)
Powered by SkillShield