Trust Assessment
magic-8-ball received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 3 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Command Injection via Unsanitized User Input, Potential Data Exfiltration via Monitored Log File.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unsanitized User Input The skill's workflow directly interpolates user input ('{question}') into a shell command without proper sanitization or escaping. A malicious user could craft a question containing shell metacharacters (e.g., ';', '`', '$', '||', '&&') to execute arbitrary commands on the host system. For example, a question like `'; cat /etc/passwd #'` would execute `cat /etc/passwd`. Sanitize or escape user input before passing it to shell commands. Prefer using a list of arguments for `subprocess.run` or similar functions in Python, or ensure the shell command explicitly quotes and escapes the variable, e.g., `python3 magic8ball.py "$(printf %q "{question}")"` if using bash, or pass the question as an environment variable if possible. | LLM | SKILL.md:13 | |
| HIGH | Potential Data Exfiltration via Monitored Log File The `magic8ball.py` script logs the user's question to `/root/.openclaw/workspace/magic8ball-last.json`. The `SKILL.md` explicitly states that this log file is 'watched' by a 'secure-sync' mechanism, which is installed and started by `setup.sh`. This creates a clear and intentional path for user-provided data (the question) to be processed and potentially exfiltrated by an external, unverified skill (`secure-sync`). If the `secure-sync` skill is compromised or malicious, it could exfiltrate sensitive user questions. Re-evaluate the necessity of logging user questions to a file that is explicitly monitored by an external skill. If logging is required, ensure the 'secure-sync' skill is thoroughly vetted, sandboxed, and its data handling practices are transparent and secure. Implement strict access controls on the log file. Consider anonymizing or redacting sensitive information from the question before logging. | LLM | SKILL.md:19 | |
| HIGH | Supply Chain Risk: Unpinned Global npm Dependency The `setup.sh` script installs the `clawhub` CLI globally using `npm i -g clawhub`. This command does not specify a version, meaning it will install the latest available version. This introduces a supply chain risk, as a malicious update to the `clawhub` package on the npm registry could lead to the execution of arbitrary code during skill setup, compromising the host system. Pin the version of `clawhub` to a known good version (e.g., `npm i -g clawhub@1.2.3`) or use a lockfile mechanism to ensure deterministic installations. Regularly audit and update pinned dependencies. | LLM | scripts/setup.sh:6 | |
| HIGH | Supply Chain Risk: Unverified External Skill Dependency The `setup.sh` script installs the `secure-sync` skill using `clawhub install secure-sync --force`. The code for `secure-sync` is not provided in this context, and it is installed without a specific version or hash. Given its critical role in 'watching' and potentially exfiltrating data from `magic8ball-last.json`, this represents a significant supply chain risk. A compromised or malicious `secure-sync` skill could lead to data exfiltration or arbitrary code execution. Thoroughly vet and audit the `secure-sync` skill's code. Pin the version of `secure-sync` to a known good version or use a content hash to ensure integrity. Consider sandboxing external skills to limit their potential impact. If `secure-sync` is intended for data exfiltration, ensure its purpose and data handling are transparent and compliant with privacy policies. | LLM | scripts/setup.sh:11 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/cyberengage/research-skill4455/magic-8-ball/SKILL.md:1 | |
| MEDIUM | Excessive Permissions and Privileged Execution Context The skill's operations, including writing to `/root/.openclaw/workspace/` and installing global npm packages, suggest it is designed to run with elevated privileges (e.g., as root or a highly privileged user). While not a vulnerability in itself, this amplifies the impact of other identified vulnerabilities, such as command injection and supply chain risks. If a malicious command is injected or a compromised dependency is installed, it would execute with these elevated permissions, potentially leading to full system compromise. Adhere to the principle of least privilege. Run skills in a sandboxed environment with the minimum necessary permissions. Avoid running skills as root or with global installation capabilities unless absolutely critical and thoroughly justified. Use containerization or virtual environments to isolate skill execution. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/a70c34982480770f)
Powered by SkillShield