Trust Assessment
luckylobster received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via API Key Storage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via API Key Storage The skill documentation suggests storing the obtained API key using a direct shell `echo` command into an environment file (`~/.openclaw/.env`). If the `api_key` value returned by the LuckyLobster API (which is untrusted input from the perspective of the shell command) contains shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`), it could lead to arbitrary command execution on the host system. This is a classic command injection vulnerability. Avoid using direct shell commands with untrusted input for credential storage. Instead, use secure, programmatic methods provided by the agent's runtime environment (like `gateway.config.patch` as shown in Option A) that handle input sanitization and escaping automatically. If shell execution is absolutely necessary, ensure all untrusted variables are properly escaped or quoted to prevent interpretation of metacharacters. | LLM | skill.md:100 |
Scan History
Embed Code
[](https://skillshield.io/report/fb898528dfc598eb)
Powered by SkillShield