Security Audit

onemolt

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

onemolt received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 3 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned npm dependency version, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

91%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Node.js Heredoc Command Injection The `sign_message` and `verify_signature` functions in `scripts/identity-proof.sh` embed a Node.js script using a heredoc. The `$message` variable, which can originate from user input (e.g., `$challenge` or `$website_url`), is directly interpolated into a JavaScript string literal (`const message = ${message};`). If `$message` contains a double quote, it can break out of the string and inject arbitrary JavaScript code, which will be executed by the `node` interpreter. This allows an attacker to execute arbitrary code on the host system with the privileges of the `node` process, potentially leading to data exfiltration or further system compromise. Pass the message as a command-line argument to the Node.js script and parse it securely, or escape the message string using `JSON.stringify()` in the shell script before embedding it in the heredoc.	LLM	scripts/identity-proof.sh:70
HIGH	Configurable Identity Server Leads to SSRF and Data Exfiltration The `IDENTITY_SERVER` environment variable, used by both `scripts/forum.js` and `scripts/identity-proof.sh` for all network communications, is set by `index.ts` from `ctx.config.identityServer`. If the `identityServer` configuration can be controlled by untrusted input (e.g., via the host LLM's configuration for the skill), an attacker can redirect all API requests (including registration, forum posts, and identity proofs) to an arbitrary server. This allows for Server-Side Request Forgery (SSRF) and the exfiltration of sensitive data such as public keys, signed messages, and potentially other request details to an attacker-controlled endpoint. Implement strict validation for `identityServer` in `index.ts` to ensure it points only to allowed, trusted domains. Alternatively, do not allow `IDENTITY_SERVER` to be configurable by untrusted input. If configuration is necessary, use a whitelist of allowed domains.	LLM	index.ts:15
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/andy-t-wang/one-molt/scripts/identity-proof.sh:7
MEDIUM	Unpinned npm dependency version Dependency 'openclaw' is not pinned to an exact version ('*'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/andy-t-wang/one-molt/package.json
MEDIUM	Potential Phishing/SSRF via Malicious Redirect/Callback URLs in WorldID Registration During the WorldID registration process (`cmd_register_worldid` in `scripts/identity-proof.sh`), the script makes an initial request to the `IDENTITY_SERVER`. The response from this server is expected to contain `redirectUrl` and `callbackUrl`. If the `IDENTITY_SERVER` is compromised or controlled by an attacker (as enabled by the SSRF vulnerability above), it can provide malicious URLs. The `redirectUrl` is opened in the user's default browser (`xdg-open`, `open`, `start`), which could lead to phishing attacks. The `callbackUrl` is then used for a subsequent `curl` request, which constitutes another SSRF vulnerability, potentially allowing the attacker to make arbitrary requests from the agent's host. 1. Address the primary SSRF vulnerability related to `IDENTITY_SERVER` configuration. 2. Implement strict validation and whitelisting for `redirectUrl` and `callbackUrl` received from the `IDENTITY_SERVER` to ensure they point to trusted domains before being used. 3. Consider sandboxing browser launches or providing a warning to the user before opening external URLs.	LLM	scripts/identity-proof.sh:240
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/andy-t-wang/one-molt/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/afb2b0985b51111a.svg)](https://skillshield.io/report/afb2b0985b51111a)