Trust Assessment
nima-core received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 4 critical, 5 high, 6 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dmdorta1111/nima-core/nima_core/cli/setup.py:82 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dmdorta1111/nima-core/nima_core/cli/setup.py:116 | |
| CRITICAL | Arbitrary command execution Dynamic import of dangerous module Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/dmdorta1111/nima-core/setup.py:7 | |
| CRITICAL | Unsanitized User Input Injected into LLM Context (Prompt Injection) The `nima-recall` hook reads recent conversation context and NIMA memories (which can contain user-provided text) and injects them directly into the LLM's `bootstrapFiles` context as markdown. This content is not sanitized for potential prompt injection payloads. A malicious user could craft a message that, when stored in NIMA's memory or part of the conversation history, could contain instructions for the LLM, leading to prompt injection. Before injecting `md` (which contains `queryContext` and `raw` memory content) into `event.context.bootstrapFiles`, sanitize the content to neutralize any potential LLM instructions. This could involve escaping special characters, using a dedicated LLM-safe markdown renderer, or explicitly filtering for known prompt injection keywords. Alternatively, consider summarizing or extracting only relevant, non-instructional facts from the memories before injection. | LLM | hooks/nima-recall/handler.ts:120 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/dmdorta1111/nima-core/nima_core/core.py:40 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/dmdorta1111/nima-core/setup.py:7 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_hooks'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/dmdorta1111/nima-core/nima_core/cli/setup.py:82 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'enable_hooks'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/dmdorta1111/nima-core/nima_core/cli/setup.py:116 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function '<module>'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/dmdorta1111/nima-core/setup.py:7 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/dmdorta1111/nima-core/nima_core/bridge.py:10 | |
| MEDIUM | Unpinned Python dependency version Requirement 'torch>=2.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/dmdorta1111/nima-core/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'numpy>=1.24.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/dmdorta1111/nima-core/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'sentence-transformers>=2.2.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/dmdorta1111/nima-core/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'scikit-learn>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/dmdorta1111/nima-core/requirements.txt:4 | |
| MEDIUM | Hardcoded Absolute Path in sys.path.insert (Supply Chain Risk) The `response_modulator.py` file contains a hardcoded absolute path (`/Users/lilu/.openclaw/workspace/nima-core`) inserted into `sys.path`. This is a development-specific practice that can introduce supply chain risks. If this path is writable by an attacker or contains malicious modules, it could lead to arbitrary code execution by overriding legitimate modules or loading unintended code. In a production environment, modules should be resolved via standard package management. Remove the hardcoded `sys.path.insert` line. Ensure that `nima_core` is installed as a proper Python package (e.g., via `pip install .`) so that its modules are discoverable through standard Python module resolution mechanisms. If local development paths are needed, use relative paths or environment variables that are not hardcoded to a specific user's system. | LLM | nima_core/cognition/response_modulator.py:5 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dmdorta1111/nima-core/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/d3b64299ca3a3450)
Powered by SkillShield