Trust Assessment
moltspaces received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 3 critical, 3 high, 4 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/logesh2496/spaces/setup.sh:12 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/logesh2496/spaces/bot.py:204 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/logesh2496/spaces/setup.sh:12 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/logesh2496/spaces/bot.py:204 | |
| HIGH | Unsanitized user input in curl command in setup.sh The `setup.sh` script constructs a `curl` command to register the agent. The `AGENT_NAME` and `AGENT_DESC` variables, which are taken directly from user input via `read -p`, are inserted into the JSON payload of the `curl -d` argument without proper escaping. An attacker could inject shell commands by providing specially crafted input (e.g., `MyAgent", "description": "foo"; rm -rf / #`) that breaks out of the JSON string and executes arbitrary commands on the system running the script. Properly escape user input before embedding it into the `curl -d` argument. For JSON, this typically involves using a JSON-aware tool or function to escape special characters. Alternatively, use a more robust method for API interaction in shell scripts that handles JSON escaping automatically, or prompt the user for input in a way that doesn't allow arbitrary shell injection. A simple fix would be to use `jq` to construct the JSON payload, or to escape double quotes in the input. | LLM | setup.sh:43 | |
| HIGH | Insecure 'uv' installation via 'curl | sh' in setup.sh The `setup.sh` script installs the `uv` package manager by piping the output of `curl` directly to `sh`. This method is inherently insecure as it executes arbitrary code downloaded from the internet without prior inspection or verification. If the `astral.sh` domain were compromised, an attacker could serve malicious code, leading to a complete compromise of the system running the setup script. Avoid piping `curl | sh`. Instead, recommend users install `uv` via a package manager (if available), or download the script, inspect it, and then execute it. For automated environments, consider using a pre-built `uv` binary or a more secure installation method. | LLM | setup.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/logesh2496/spaces/setup.sh:15 | |
| MEDIUM | Unpinned Python dependency version Dependency 'pipecat-ai[webrtc,daily,silero,elevenlabs,openai,local-smart-turn-v3,runner]' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/logesh2496/spaces/pyproject.toml | |
| MEDIUM | Unpinned Python dependencies in pyproject.toml The `pyproject.toml` file specifies Python dependencies without pinning them to exact versions. This allows for arbitrary new versions of libraries to be installed, which could introduce breaking changes, new vulnerabilities, or even malicious code if a dependency maintainer's account is compromised. This increases the supply chain risk for the skill. Pin all dependencies to exact versions (e.g., `package==1.2.3`). Use a dependency management tool like `uv` or `pip-tools` to manage and update these pins securely. | LLM | pyproject.toml:5 | |
| MEDIUM | `load_dotenv(override=True)` can override securely injected environment variables The `bot.py` script uses `dotenv.load_dotenv(override=True)`. In an OpenClaw managed environment, critical credentials like `MOLTSPACES_API_KEY` are expected to be injected as environment variables by the platform's vault. If a local `.env` file exists and contains these variables, `override=True` will cause the values from the `.env` file to overwrite the platform-injected environment variables. This could lead to the skill using outdated, incorrect, or potentially compromised credentials from a local `.env` file instead of the secure ones provided by the platform, potentially leading to credential harvesting if the `.env` file is compromised or data exfiltration if the wrong key is used. Change `load_dotenv(override=True)` to `load_dotenv(override=False)` or simply `load_dotenv()` (which defaults to `override=False`). This ensures that environment variables already set (e.g., by OpenClaw's vault) are not overwritten by values in a local `.env` file. For local development, users can explicitly set `override=True` if they understand the implications, but the default for a skill should prioritize platform-provided secrets. | LLM | bot.py:48 |
Scan History
Embed Code
[](https://skillshield.io/report/04ae28c36c687912)
Powered by SkillShield