Trust Assessment
ngrok-unofficial-webhook-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 3 critical, 1 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Arbitrary command execution via webhook payload.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tanchunsiong/ngrok-unofficial-webhook-skill/scripts/webhook-server.js:40 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tanchunsiong/ngrok-unofficial-webhook-skill/scripts/webhook-server.js:203 | |
| CRITICAL | Arbitrary command execution via webhook payload The skill's `webhookCommands` feature, as described in `SKILL.md`, allows defining shell commands in `skill.json` that are executed when a matching webhook event arrives. These commands can include placeholders (e.g., `{{meeting_id}}`) which are replaced by values extracted from the incoming webhook payload. An attacker sending a crafted webhook payload could inject arbitrary commands into the shell execution, leading to remote code execution on the host system. The `SKILL.md` explicitly states: 'If a matching skill has `webhookCommands` → runs the configured shell command'. Implement strict input validation and sanitization for all values extracted from webhook payloads before they are used in shell commands. Consider using a safer execution mechanism that does not involve direct shell interpretation, or restrict commands to a very limited set of predefined, parameterized actions. Avoid direct string concatenation into shell commands. | LLM | SKILL.md:60 | |
| HIGH | Broad shell execution permissions granted by `webhookCommands` The `webhookCommands` feature, as described in `SKILL.md`, allows skills to define and execute arbitrary shell commands based on incoming webhook events. This grants the skill broad permissions to interact with the underlying operating system, potentially allowing for file system manipulation, network requests, or other system-level actions. This capability, especially when combined with the command injection vulnerability, represents an excessive permission model for processing external, untrusted input. Re-evaluate the necessity of arbitrary shell command execution. If shell commands are required, implement a strict allowlist of commands and arguments, and execute them in a sandboxed or least-privilege environment. Avoid direct execution of commands constructed from untrusted input. | LLM | SKILL.md:60 | |
| MEDIUM | Unpinned npm dependency version Dependency '@ngrok/ngrok' is not pinned to an exact version ('^1.4.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/tanchunsiong/ngrok-unofficial-webhook-skill/package.json | |
| MEDIUM | Webhook payload data included in user notifications The `formatWebhookMessage` function in `scripts/webhook-server.js` includes up to 1000 characters of the raw webhook payload body in the message sent to the user via the `notifyUser` function. If the `OPENCLAW_NOTIFY_TARGET` environment variable is misconfigured or controlled by an attacker, sensitive information present in incoming webhooks could be inadvertently exfiltrated to an unauthorized recipient. Redact or filter sensitive fields from the `bodyPreview` before including it in notifications. Provide only necessary summary information, or offer a link to view the full payload securely. Ensure `OPENCLAW_NOTIFY_TARGET` is always a trusted and secure endpoint. | LLM | scripts/webhook-server.js:90 | |
| LOW | Unpinned dependencies in `package.json` The `package.json` file uses caret (`^`) ranges for all dependencies (e.g., `"@ngrok/ngrok": "^1.4.1"`). While `package-lock.json` pins exact versions, a fresh `npm install` without a `package-lock.json` (or if it's ignored/outdated) could pull a newer, potentially malicious version of a dependency if one is published within the specified range. This increases the risk of supply chain attacks. Consider using exact version pinning (e.g., `1.4.1` instead of `^1.4.1`) for critical dependencies, or ensure that `package-lock.json` is always used and kept up-to-date in deployment environments. Regularly audit dependencies for known vulnerabilities. | LLM | package.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/b95e64eb55c8dd40)
Powered by SkillShield