Trust Assessment
linux-patcher received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 2 critical, 6 high, 4 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection via Sourcing Untrusted Configuration Files, Command Injection via `eval` of Remote Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Sourcing Untrusted Configuration Files The skill uses `source` to execute configuration files (`$CONFIG_FILE` in `patch-multiple.sh` and `$HOME/.patchmon-credentials.conf` in `patchmon-query.sh`). If these files are controlled by an attacker or contain malicious content, arbitrary commands can be executed on the local machine with the permissions of the OpenClaw agent. This is a direct and critical command injection vulnerability. Avoid using `source` with untrusted or user-controlled files. Instead, parse configuration files using safer methods (e.g., `read` line by line, `jq` for JSON, or dedicated configuration parsing libraries) that do not execute arbitrary code. Validate all input from configuration files before use. | LLM | scripts/patch-multiple.sh:25 | |
| CRITICAL | Command Injection via Sourcing Untrusted Configuration Files The skill uses `source` to execute configuration files (`$HOME/.patchmon-credentials.conf` in `patchmon-query.sh`). If this file is controlled by an attacker or contains malicious content, arbitrary commands can be executed on the local machine with the permissions of the OpenClaw agent. This is a direct and critical command injection vulnerability. Avoid using `source` with untrusted or user-controlled files. Instead, parse configuration files using safer methods (e.g., `read` line by line, `jq` for JSON, or dedicated configuration parsing libraries) that do not execute arbitrary code. Validate all input from configuration files before use. | LLM | scripts/patchmon-query.sh:8 | |
| HIGH | Command Injection via `eval` of Remote Output The scripts `patch-auto.sh`, `patch-host-full.sh`, and `patch-host-only.sh` use `eval "$("$SCRIPT_DIR/detect-os.sh" "$HOST")"`. The `detect-os.sh` script executes commands on a remote host (`$HOST`) to determine its OS. If a malicious remote host can craft its `/etc/os-release` or `/etc/redhat-release` content, it could cause `detect-os.sh` to output malicious shell commands. These commands would then be executed on the local machine via `eval`, leading to command injection. Avoid using `eval` with output derived from untrusted sources. Instead of `eval`, parse the output of `detect-os.sh` in a structured way (e.g., using `grep` and `awk` to extract specific key-value pairs) and assign variables explicitly, ensuring no shell metacharacters are interpreted as commands. | LLM | scripts/patch-auto.sh:100 | |
| HIGH | Command Injection via `eval` of Remote Output The scripts `patch-auto.sh`, `patch-host-full.sh`, and `patch-host-only.sh` use `eval "$("$SCRIPT_DIR/detect-os.sh" "$HOST")"`. The `detect-os.sh` script executes commands on a remote host (`$HOST`) to determine its OS. If a malicious remote host can craft its `/etc/os-release` or `/etc/redhat-release` content, it could cause `detect-os.sh` to output malicious shell commands. These commands would then be executed on the local machine via `eval`, leading to command injection. Avoid using `eval` with output derived from untrusted sources. Instead of `eval`, parse the output of `detect-os.sh` in a structured way (e.g., using `grep` and `awk` to extract specific key-value pairs) and assign variables explicitly, ensuring no shell metacharacters are interpreted as commands. | LLM | scripts/patch-host-full.sh:26 | |
| HIGH | Command Injection via `eval` of Remote Output The scripts `patch-auto.sh`, `patch-host-full.sh`, and `patch-host-only.sh` use `eval "$("$SCRIPT_DIR/detect-os.sh" "$HOST")"`. The `detect-os.sh` script executes commands on a remote host (`$HOST`) to determine its OS. If a malicious remote host can craft its `/etc/os-release` or `/etc/redhat-release` content, it could cause `detect-os.sh` to output malicious shell commands. These commands would then be executed on the local machine via `eval`, leading to command injection. Avoid using `eval` with output derived from untrusted sources. Instead of `eval`, parse the output of `detect-os.sh` in a structured way (e.g., using `grep` and `awk` to extract specific key-value pairs) and assign variables explicitly, ensuring no shell metacharacters are interpreted as commands. | LLM | scripts/patch-host-only.sh:25 | |
| HIGH | Command Injection via Unsanitized Variables in SSH Commands The `patch-host-full.sh` script constructs SSH commands using `$DOCKER_PATH` directly, for example, `ssh "$HOST" "cd $DOCKER_PATH && sudo docker compose pull"`. If `$DOCKER_PATH` (which can be user-provided or derived from a potentially malicious PatchMon API response) contains shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`), it could lead to command injection on the remote host. Ensure all variables used in `ssh` commands are properly sanitized or quoted to prevent shell metacharacter interpretation. For paths, consider using `printf %q` or similar methods to escape special characters, or pass the path as a separate argument to a remote script that handles `cd` safely. | LLM | scripts/patch-host-full.sh:90 | |
| HIGH | Credential Injection via Unsanitized Variables in `curl` JSON Payload The `patchmon-query.sh` script constructs a JSON payload for `curl` authentication using `$PATCHMON_USERNAME` and `$PATCHMON_PASSWORD` directly: `-d "{\"username\":\"$PATCHMON_USERNAME\",\"password\":\"$PATCHMON_PASSWORD\"}"`. If these variables (sourced from `$HOME/.patchmon-credentials.conf`) contain double quotes or other JSON/shell metacharacters, an attacker could inject arbitrary JSON or shell commands into the `curl` request, potentially leading to credential leakage or command execution. Properly escape or sanitize `$PATCHMON_USERNAME` and `$PATCHMON_PASSWORD` before embedding them into a JSON string. A safer approach is to use `jq` to construct the JSON payload from variables, or use `curl`'s `--data-urlencode` or `--json` options if available and appropriate. | LLM | scripts/patchmon-query.sh:34 | |
| HIGH | Data Exfiltration/Command Injection via Malicious PatchMon API Response The `patchmon-query.sh` script queries a PatchMon API and parses the JSON response using `jq`. It then extracts `hostname`, `sshUser`, and `dockerPath` and writes them into a temporary configuration file (`$OUTPUT_CONFIG`). This temporary file is later `source`d by `patch-auto.sh`. If a malicious PatchMon server returns crafted values for these fields (e.g., `{"hostname": "evil.com", "sshUser": "user", "dockerPath": "/tmp; rm -rf /"}`), it could lead to command injection on the local machine when `patch-auto.sh` sources the generated config. Validate and sanitize all data received from external APIs before using it to construct shell commands or configuration files that will be sourced. Ensure that `hostname`, `sshUser`, and `dockerPath` only contain expected characters and do not include shell metacharacters. Avoid sourcing dynamically generated files that contain data from untrusted sources. | LLM | scripts/patchmon-query.sh:70 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jgm2025/linux-patcher/scripts/patch-auto.sh:108 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jgm2025/linux-patcher/scripts/patch-host-full.sh:60 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jgm2025/linux-patcher/scripts/patchmon-query.sh:8 | |
| MEDIUM | Reliance on Passwordless Sudo with Restricted Permissions The skill explicitly requires 'Passwordless sudo access - Configured with restricted permissions' on target hosts. While the `SKILL.md` provides an example of limiting sudoers to specific commands (`/usr/bin/apt`, `/usr/bin/docker`), misconfiguration by the user could lead to broader sudo access than intended. If the sudoers configuration is not strictly limited, a compromised skill or an injection vulnerability could gain root access on target systems. Emphasize the critical importance of strictly limiting passwordless sudo permissions to only the absolute necessary commands and paths. Provide a robust, tested `sudoers.d` configuration example that minimizes the attack surface. Implement checks within the scripts to verify that the executing user has only the expected sudo permissions, if feasible. | LLM | SKILL.md:204 |
Scan History
Embed Code
[](https://skillshield.io/report/9ab93aa0e0d34fcc)
Powered by SkillShield