Security Audit

media-backup

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

media-backup received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive path access: AI agent config, Unpinned dependency version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

63%

Dependency Graph

100%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

3 findings

Excessive Permissions

3 findings

Security Findings4

Severity	Finding	Layer	Location
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/dbhurley/media-backup/SKILL.md:44
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/dbhurley/media-backup/SKILL.md:52
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/dbhurley/media-backup/SKILL.md:12
LOW	Unpinned dependency version The skill specifies a dependency 'click' with a version constraint '>=8.0.0' but does not pin it to a specific patch version. This could potentially allow a future update to introduce breaking changes or, in rare cases, vulnerabilities, though 'click' is a widely used and stable library. Pin the dependency to a specific patch version, e.g., 'click==8.1.7', or at least to a minor version, e.g., 'click~=8.1.0' or 'click>=8.0.0,<8.2.0'.	LLM	scripts/backup.py:3

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/cf2bb5c182afa0bf.svg)](https://skillshield.io/report/cf2bb5c182afa0bf)