Trust Assessment
lulu-monitor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 4 high, 1 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Persistence mechanism: macOS LaunchAgent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dexiaong/lulu-monitort/SKILL.md:110 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/dexiaong/lulu-monitort/SKILL.md:111 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dexiaong/lulu-monitort/SKILL.md:71 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dexiaong/lulu-monitort/SKILL.md:88 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/dexiaong/lulu-monitort/SKILL.md:110 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/dexiaong/lulu-monitort/SKILL.md:111 | |
| HIGH | Skill requires high-privilege Accessibility permissions The skill explicitly requires 'Accessibility Permission' on macOS to interact with the LuLu Firewall UI. Granting this permission allows the skill (and any potentially compromised component of it) to control other applications, simulate user input, and potentially access sensitive data from other applications. While necessary for the skill's stated functionality, it represents a significant security risk if the skill itself has vulnerabilities or is compromised, as it could be leveraged for broader system control or data exfiltration. Acknowledge and clearly communicate the security implications of granting Accessibility permissions to users. Ensure all skill components that operate with this permission are thoroughly audited for vulnerabilities, especially command injection and data exfiltration. Implement robust sandboxing or privilege separation where possible, even if the core functionality requires high privileges. | LLM | SKILL.md:56 | |
| HIGH | Potential Command Injection via local callback endpoint The skill exposes a local HTTP endpoint (`http://127.0.0.1:4441/callback`) to handle actions triggered by Telegram buttons. The `action` parameter (e.g., 'allow', 'block', 'allow-once', 'block-once') is derived from user interaction via Telegram. The description states this endpoint will 'Click the appropriate button on LuLu alert' and 'Set Rule Scope/Duration', implying the `action` value is used to construct `osascript` or other shell commands. If the `action` parameter is not strictly validated and sanitized before being incorporated into shell commands, a malicious actor (who can send requests to this local endpoint, or potentially manipulate Telegram callback data if not properly signed/verified) could inject arbitrary commands. Implement strict allow-listing for the `action` parameter and any other user-controlled input received by the `/callback` endpoint. When constructing shell commands (e.g., `osascript` calls), use parameterized execution or robust escaping mechanisms to prevent injection. Ensure the local endpoint is only accessible from trusted sources (e.g., `localhost` and the skill's own processes). | LLM | SKILL.md:90 | |
| MEDIUM | Unspecified npm dependencies and cloning source pose supply chain risk The installation instructions mention 'Install npm dependencies' and 'Clone the repo to ~/.openclaw/lulu-monitor/'. However, the `package.json` (which lists npm dependencies) and the specific URL for cloning the repository are not provided in the `SKILL.md`. Without this information, it's impossible to verify if dependencies are pinned to specific, known-good versions, if the cloning source is trusted and immutable, or if there are any typosquatting or malicious packages in the dependency tree. This creates a blind spot for supply chain attacks. Provide the `package.json` and `package-lock.json` files for analysis to ensure dependencies are pinned and free from known vulnerabilities. Explicitly state the full Git repository URL used for cloning in the `install.sh` script and ensure it points to a trusted source. | LLM | SKILL.md:66 | |
| LOW | Sensitive network connection data sent to Telegram The skill's core functionality involves extracting sensitive network connection information (process, IP, port, DNS) from LuLu firewall alerts and sending it to Telegram as part of a 'risk assessment' notification. While this is an intended feature, it means potentially private user network activity data is transmitted to a third-party service (Telegram). Users should be fully aware of this data transfer and its privacy implications. Clearly and prominently disclose to users that their network connection data will be sent to Telegram. Provide options for users to control the level of detail sent or to disable this feature if privacy is a paramount concern. Ensure the `telegramId` configuration is secure and prevents unintended recipients. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/6e62e840d535fea0)
Powered by SkillShield