Trust Assessment
nochat-channel received a trust score of 53/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 0 high, 3 medium, and 1 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Prompt Injection via Inbound Message Content.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Inbound Message Content The `formatInboundContext` function in `src/session/router.ts` directly decodes base64-encoded `encrypted_content` from inbound messages (which is untrusted input) and embeds the resulting string into the context provided to the LLM. An attacker controlling the `encrypted_content` can inject arbitrary instructions into the LLM's prompt, potentially overriding its system prompt, manipulating its behavior, or causing it to perform unintended actions. Sanitize or escape all untrusted input before embedding it into LLM prompts. Consider using a dedicated prompt templating library that enforces strict separation between instructions and user content. For example, wrap user input in XML tags or specific delimiters that the LLM is instructed to treat as literal user input only, not as instructions. | LLM | src/session/router.ts:72 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/catsmeow492/nochat-channel/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'vitest' is not pinned to an exact version ('^3.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/catsmeow492/nochat-channel/package.json | |
| MEDIUM | Excessive Permissions: Direct File System Access The `TrustStore` class in `src/trust/store.ts` includes methods (`loadFromFile`, `saveToFile`) that directly interact with the file system using `node:fs/promises`. While the provided skill code does not directly expose the `filePath` parameter of these methods to untrusted input, the presence of direct file system access grants the skill a powerful capability. If the host environment (OpenClaw) were to call these methods with a `filePath` derived from untrusted input, it could lead to arbitrary file read/write, posing a significant security risk (e.g., command injection, data exfiltration). This represents an excessive permission if not strictly controlled by the host environment. Ensure that the host environment strictly controls and sanitizes any `filePath` passed to `loadFromFile` or `saveToFile`. Ideally, the skill should not have direct arbitrary file system access. If persistence is required, consider using a host-provided secure storage API that abstracts file paths and enforces access controls, or restrict file operations to a dedicated, isolated directory. | LLM | src/trust/store.ts:100 | |
| LOW | Potential Data Exfiltration via Error Stack Traces in Logs The plugin logs full error stack traces to the console in `index.ts` when handling inbound messages. Stack traces can sometimes contain sensitive information such as file paths, environment variables, or partial secrets. If these logs are accessible, this information could be inadvertently exfiltrated. Avoid logging full stack traces in production environments. Instead, log only essential error messages or a unique error ID that can be correlated with detailed server-side logs. Ensure that any logged error messages are sanitized to prevent accidental exposure of sensitive data. | LLM | index.ts:101 | |
| INFO | Unpinned Development Dependencies in package.json The `package.json` file specifies development dependencies (`vitest`, `typescript`) using caret (`^`) version ranges. While `package-lock.json` pins exact versions, relying on `^` in `package.json` allows for automatic updates to minor or patch versions. This could potentially introduce unexpected changes, bugs, or even vulnerabilities if a malicious update is published to the registry, especially if the `package-lock.json` is ignored or regenerated. For improved supply chain security and reproducibility, it is best practice to pin all dependency versions, even for development dependencies. Pin all dependency versions in `package.json` to exact versions (e.g., `"vitest": "3.0.0"`) to ensure build reproducibility and prevent unexpected updates. Regularly audit dependencies for known vulnerabilities. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/af05af8e47b5db81)
Powered by SkillShield