Security Audit

Notebook

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Notebook received a trust score of 37/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 2 critical, 1 high, 4 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Path Traversal via Unsanitized Type Name.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

79%

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

25%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

3 findings

Excessive Permissions

2 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Path Traversal via Unsanitized Type Name The skill constructs file system paths using user-controlled input (`typeName`) without proper sanitization. The `typeName` argument, taken directly from command-line input, is used in `path.join(OBJECTS_DIR, type)` to create directories and file paths. An attacker can provide a `typeName` containing directory traversal sequences (e.g., `../../../../tmp`) to access, create, modify, or delete files outside the intended skill data directory. This affects `fs.mkdirSync`, `fs.writeFileSync`, `fs.readFileSync`, and `fs.unlinkSync` operations. Sanitize the `typeName` input to prevent directory traversal. Before using `typeName` in `path.join`, validate that it does not contain path separators or `..` sequences. A robust solution involves resolving the full path and ensuring it remains within the designated `OBJECTS_DIR` using `path.resolve` and checking if the resolved path starts with the canonical `OBJECTS_DIR`.	LLM	lib/store.js:99
CRITICAL	Data Exfiltration via Path Traversal Due to the path traversal vulnerability in `getObjectPath`, an attacker can manipulate the `typeName` argument to read arbitrary files on the system. When commands like `notebook get <malicious_type_name> <object_id>` are executed, the `loadObject` function (which calls `getObjectPath`) will attempt to read a file at the manipulated path, potentially exfiltrating sensitive system files (e.g., `/etc/passwd`, `/etc/shadow`). Implement strict input validation and path sanitization for `typeName` to ensure that all file system operations are confined to the intended `OBJECTS_DIR`. This will prevent unauthorized reading of files outside the skill's designated data storage.	LLM	lib/store.js:99
HIGH	Excessive File System Permissions due to Path Traversal The skill's file system operations (`fs.mkdirSync`, `fs.writeFileSync`, `fs.readFileSync`, `fs.unlinkSync`) are intended to operate within the `WORKSPACE_DIR/notebook` directory. However, the lack of sanitization for the user-controlled `typeName` in `getObjectPath` allows an attacker to perform directory traversal. This effectively grants the skill excessive permissions, enabling it to create, write, read, and delete files and directories anywhere on the file system that the process has permissions for, beyond its intended scope. Restrict file system access to the intended `OBJECTS_DIR` by validating and sanitizing all user-provided path components, such as `typeName`. Ensure that any resolved path remains a child of the `OBJECTS_DIR` to prevent operations on arbitrary locations.	LLM	lib/store.js:99
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/thesethrose/notebook/lib/store.js:100
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/thesethrose/notebook/lib/store.js:272
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/thesethrose/notebook/lib/store.js:286
MEDIUM	Unpinned npm dependency version Dependency 'js-yaml' is not pinned to an exact version ('^4.1.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/thesethrose/notebook/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/cfa291f93318b1fb.svg)](https://skillshield.io/report/cfa291f93318b1fb)