Trust Assessment
luckylobster received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection / Excessive Permissions via Shell Command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection / Excessive Permissions via Shell Command The skill documentation, marked as untrusted content, instructs the agent to execute a shell command (`echo ... >> ~/.openclaw/.env`) to store an API key. If the agent is configured to execute shell commands directly from documentation without proper sanitization or sandboxing, this could lead to arbitrary file writes or command injection if the API key value were to contain malicious shell metacharacters. This instruction also implies that the agent is expected to have permissions to execute shell commands and modify the filesystem, which could be considered excessive. For the skill: Remove instructions for storing credentials via direct shell commands like `echo` to a file. Instead, exclusively recommend secure, sandboxed methods such as `gateway.config.patch` which provides a controlled API for configuration updates. For the agent: Implement strict sandboxing for shell execution and require explicit user confirmation for any filesystem modifications, especially when processing untrusted content. | LLM | skill.md:106 |
Scan History
Embed Code
[](https://skillshield.io/report/6658144c5df984f1)
Powered by SkillShield