Security Audit

ms-qwen-vl

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

ms-qwen-vl received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 0 critical, 3 high, 4 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Argument Injection via User-Controlled Input in Shell Command, Data Exfiltration via Arbitrary Local File Reading and Upload.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

79%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings7

Severity	Finding	Layer	Location
HIGH	Argument Injection via User-Controlled Input in Shell Command The `SKILL.md` instructs the LLM to execute a shell command `python scripts/ms_qwen_vl.py "<图片路径>" --task <任务类型>`. The `<图片路径>` and `<任务类型>` are directly derived from user input. While the examples show quoting for the image path, a malicious user could craft input like `foo.png" --task ocr --api-key MALICIOUS_KEY #` to break out of the quotes and inject arbitrary arguments into the Python script. This allows overriding parameters like `--api-key` or `--model`, potentially leading to unauthorized API usage or other malicious actions. The LLM should be instructed to strictly sanitize or escape user input before constructing shell commands. For example, using `shlex.quote()` in a wrapper script or ensuring the LLM uses a robust quoting mechanism that handles embedded quotes. Alternatively, the skill should expose a tool function that takes structured arguments, rather than relying on shell command construction.	LLM	SKILL.md:30
HIGH	Data Exfiltration via Arbitrary Local File Reading and Upload The skill's core functionality involves reading local image files specified by the user (e.g., `C:\Users\...\Desktop\screenshot.png`, `D:\Documents\invoice.jpg`) and encoding them to base64, then sending them to the ModelScope API. This design allows a malicious user to instruct the agent to read any image file on the local filesystem (that the agent's process has read access to) and exfiltrate its content to a third-party service (ModelScope). While this is the intended functionality, it poses a significant data exfiltration risk if the agent is compromised or misused. Implement strict access controls or a whitelist for allowed file paths/directories. Prompt the user for explicit confirmation before uploading sensitive file types or files from sensitive locations. Consider sandboxing the execution environment to limit filesystem access.	LLM	scripts/ms_qwen_vl.py:40
HIGH	Prompt Injection via User-Controlled Question to Downstream LLM The skill allows users to provide a custom `question` via the `--question` argument, especially for the "ask" task. This `question` is directly incorporated into the prompt sent to the ModelScope Qwen3-VL API without any sanitization or escaping. A malicious user could craft a `question` containing instructions or adversarial prompts designed to manipulate the behavior of the downstream ModelScope LLM, potentially leading to unintended outputs, data leakage from the ModelScope context, or other prompt injection attacks. Implement sanitization or a robust templating mechanism for user-provided questions before sending them to the downstream LLM. Consider using techniques like input validation, output parsing, or separating user input from system instructions to mitigate prompt injection risks.	LLM	scripts/ms_qwen_vl.py:79
MEDIUM	Unpinned Python dependency version Requirement 'openai>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/crocketc/ms-qwen-vl/requirements.txt:5
MEDIUM	Unpinned Python dependency version Requirement 'Pillow>=9.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/crocketc/ms-qwen-vl/requirements.txt:8
MEDIUM	Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/crocketc/ms-qwen-vl/requirements.txt:11
MEDIUM	Arbitrary File Write via `--output` Argument The `ms_qwen_vl.py` script allows users to specify an output file path using the `--output` argument. The script then writes the analysis result to this path using `output_path.write_text(result, encoding="utf-8")`. This allows a malicious user to write arbitrary content (the analysis result, which could be controlled to some extent by the input image/prompt) to any location on the filesystem where the agent's process has write permissions. This could lead to overwriting important files, creating malicious scripts, or filling up disk space. Restrict output file paths to a designated, sandboxed directory. Implement validation to prevent path traversal (`../`) in the `--output` argument. Prompt the user for confirmation before writing to potentially sensitive locations.	LLM	scripts/ms_qwen_vl.py:204

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a834efb16c3b6d95.svg)](https://skillshield.io/report/a834efb16c3b6d95)