Security Audit

masumi-payments

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

masumi-payments received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Unsanitized user input in shell commands for service installation.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

91%

LLM Behavioral Safety

38%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

3 findings

Shell Execution

2 findings

Dynamic Code

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Unsanitized user input in shell commands for service installation The `installPaymentService` and `startPaymentService` functions use `execSync` to execute shell commands (`git clone`, `npm install`, `npm start`). The `gitUrl` and `installPath` parameters, which can be controlled by the user via the `masumi_install_payment_service` and `masumi_start_payment_service` tools, are directly interpolated into these commands without proper sanitization. A malicious user could inject shell metacharacters (e.g., `;`, `&&`, `\|`) into `installPath` or `gitUrl` to execute arbitrary commands on the host system. Use `child_process.spawn` or `child_process.execFile` with an array of arguments to prevent shell injection, or rigorously sanitize user-provided paths and URLs before passing them to `execSync`. For `git clone`, ensure `gitUrl` is a valid URL and `installPath` is a safe, normalized path. For `npm install` and `npm start`, ensure `cwd` is a safe, normalized path.	LLM	src/services/payment-service-installer.ts:59
HIGH	Use of insecure default encryption key for sensitive data The `getEncryptionKey` function in `src/utils/encryption.ts` retrieves the encryption key from `process.env.MASUMI_ENCRYPTION_KEY`. If this environment variable is not set, it defaults to a hardcoded, insecure string: `'default-encryption-key-change-me-in-production'`. This makes any data encrypted with this default key (such as wallet mnemonics stored in `credential-store.ts`) easily decryptable by an attacker who knows or can infer this default key, leading to credential harvesting and data exfiltration. Remove the insecure default key. Force the user to provide `MASUMI_ENCRYPTION_KEY` by throwing an error if it's not set. Alternatively, generate a strong random key at first run and store it securely (e.g., in a platform-specific secret store) if zero-config is a hard requirement, but this adds complexity.	LLM	src/utils/encryption.ts:26
HIGH	API keys sent to user-controlled and potentially malicious service URLs The `ApiClient` (used by `PaymentManager`, `RegistryManager`, `AutoProvisionService`, and `generateApiKey`) sends `apiKey` (and `sellerVkey` or `registryApiKey`) in HTTP headers to a `baseUrl` that is derived from `MASUMI_PAYMENT_SERVICE_URL` or `MASUMI_REGISTRY_SERVICE_URL` environment variables or tool parameters. If an AI agent or a malicious user provides a URL pointing to an attacker-controlled server, the API keys and other sensitive headers will be exfiltrated to that server. The skill explicitly warns that users run their own service, but does not prevent a malicious URL from being provided. Implement strict validation for `MASUMI_PAYMENT_SERVICE_URL` and `MASUMI_REGISTRY_SERVICE_URL` to ensure they point to trusted domains or IP ranges, especially if the skill is intended for a closed ecosystem. If arbitrary URLs are allowed, clearly warn the user about the risks of providing untrusted service URLs, as API keys will be sent to them. Consider using a proxy or a more secure authentication mechanism if possible.	LLM	src/utils/api-client.ts:19
MEDIUM	Unpinned npm dependency version Dependency 'zod' is not pinned to an exact version ('^3.22.4'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/sarthib7/masumi/package.json
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/sarthib7/masumi/package.json
LOW	Unpinned dependencies in package.json The `package.json` file uses caret (`^`) ranges for most dependencies (e.g., `"zod": "^3.22.4"`). While common, this practice allows for automatic updates to new minor or patch versions. If a malicious update is published to one of these dependencies, it could be automatically pulled into the project, introducing a supply chain vulnerability. Pin all dependencies to exact versions (e.g., `"zod": "3.22.4"`) to ensure deterministic builds and prevent unexpected or malicious updates. Use a dependency lock file (like `package-lock.json` or `yarn.lock`) and regularly audit dependencies for known vulnerabilities.	LLM	package.json:19

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/db8855f8f4cd38dc.svg)](https://skillshield.io/report/db8855f8f4cd38dc)