Security Audit

morfeo-remotion-style

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

morfeo-remotion-style received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Node lockfile missing, Potential shell command execution in skill description, Unpinned dependencies in setup instructions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Potential shell command execution in skill description The skill description contains shell commands (`npx` and `npm i`) within a code block. If the AI agent's execution environment is configured to automatically execute code snippets found in skill descriptions, this could lead to command injection. While the commands provided are generally benign, this pattern represents a potential vulnerability if not properly sandboxed. Avoid including executable shell commands directly in skill descriptions. If setup instructions are necessary, clearly delineate them as human-readable instructions and ensure the agent's execution environment does not automatically run such code blocks. Consider providing a dedicated setup script or tool for users.	LLM	SKILL.md:100
MEDIUM	Unpinned dependencies in setup instructions The skill's setup instructions recommend installing `@remotion/google-fonts` and using `npx create-video@latest` without specifying fixed versions. Relying on `@latest` or unpinned versions can introduce supply chain risks, as a malicious update to these packages could be automatically pulled in, compromising the project. Always pin dependencies to specific versions (e.g., `npm i @remotion/google-fonts@1.2.3`) to ensure reproducibility and mitigate risks from malicious updates. If this is a runnable package, update `package.json` with explicit dependency versions.	LLM	SKILL.md:100
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/pauldelavallaz/morfeo-remotion-style/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c8ab768d0c94caca.svg)](https://skillshield.io/report/c8ab768d0c94caca)