Trust Assessment
llm-supervisor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 2 critical, 2 high, 1 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Unsafe deserialization / dynamic eval, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dhardie/llm-supervisor/dist/hooks/onAgentStart.js:18 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dhardie/llm-supervisor/hooks/onAgentStart.ts:23 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/dhardie/llm-supervisor/dist/hooks/beforeTaskExecute.js:29 | |
| HIGH | External LLM error message used unsanitized in agent's reply The skill stores the raw error message from an external LLM (`event.error?.message`) in its state (`state.lastError`). This `lastError` is then directly included in the response to the `/llm status` command without sanitization. If a malicious or compromised external LLM returns an error message containing prompt injection instructions (e.g., markdown that the agent LLM interprets as commands), these instructions could manipulate the agent's subsequent behavior. Sanitize `state.lastError` before including it in `cmd.reply`. This could involve stripping markdown, escaping special characters, or explicitly marking it as literal text if the agent LLM supports such distinctions. Alternatively, only include a predefined, safe subset of the error message or a generic error message. | LLM | commands/llm.ts:17 | |
| MEDIUM | Skill configuration `localModel` used unsanitized in agent's notification The `ctx.config.localModel` value is directly embedded into notification messages sent to the agent LLM via `ctx.notify.all`. If a malicious skill developer sets `localModel` to include prompt injection instructions (e.g., markdown commands), these could be interpreted by the agent LLM, potentially manipulating its behavior. Ensure `ctx.config.localModel` is sanitized or restricted to a safe format (e.g., alphanumeric only) before being displayed to the agent LLM. The SDK could also provide a mechanism to mark parts of the notification message as literal text not to be interpreted as instructions. | LLM | commands/llm.ts:35 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dhardie/llm-supervisor/package.json | |
| LOW | Missing explicit dependencies in package.json The `package.json` file does not list any `dependencies` or `devDependencies`, despite the TypeScript source files (`.ts`) clearly importing and using `@openclaw/sdk`. This indicates that the project relies on implicit or globally available dependencies, which can lead to non-reproducible builds, unexpected behavior, or the use of outdated/vulnerable versions of libraries if the environment is not strictly controlled. Add `@openclaw/sdk` and any other necessary libraries (e.g., TypeScript itself if used for compilation) to the `dependencies` or `devDependencies` section of `package.json` with pinned versions to ensure build reproducibility and explicit dependency management. | LLM | package.json:1 |
Scan History
Embed Code
[](https://skillshield.io/report/d0cbfd6832e03cf6)
Powered by SkillShield