Trust Assessment
opcode received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Arbitrary Command Execution via shell.exec, Arbitrary Filesystem Access via fs.* actions, Data Exfiltration via http.* actions and variable interpolation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 31/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via shell.exec The `shell.exec` action explicitly allows execution of arbitrary commands on the host system. If a workflow definition or its parameters (e.g., `command`, `args`, `env`) can be influenced by untrusted input, an attacker could inject and execute malicious commands, leading to full system compromise. This is a direct command injection vulnerability. Implement strict input validation and sanitization for all parameters passed to `shell.exec` if they originate from or can be influenced by untrusted sources. Consider sandboxing or restricting the execution environment for `shell.exec` commands. Limit the scope of `shell.exec` to a predefined set of safe commands or disallow untrusted users from defining or running workflows that use `shell.exec`. | LLM | SKILL.md:204 | |
| HIGH | Arbitrary Filesystem Access via fs.* actions The `fs.read`, `fs.write`, `fs.delete`, `fs.list`, `fs.stat`, `fs.copy`, and `fs.move` actions provide broad access to the filesystem. If an attacker can control the `path` or `content` parameters of these actions through untrusted workflow definitions or parameters, they could read sensitive files, write malicious content, or delete critical system files. Implement strict input validation and sanitization for all `path` and `content` parameters originating from untrusted sources. Restrict filesystem access to specific, whitelisted directories or disallow untrusted users from defining or running workflows that use `fs.*` actions. | LLM | SKILL.md:202 | |
| HIGH | Data Exfiltration via http.* actions and variable interpolation The `http.request`, `http.get`, and `http.post` actions allow arbitrary network requests. When combined with variable interpolation, particularly `${{secrets.KEY}}`, `${{steps.ID.output}}`, or `${{inputs.KEY}}`, an attacker could construct malicious HTTP requests to exfiltrate sensitive data (e.g., secrets, workflow outputs, or file contents read via `fs.read`) to an external server. Implement strict validation and sanitization for URLs, headers, and body content if they originate from untrusted input. Restrict outbound network access to a whitelist of approved domains. Carefully control which variables (especially secrets) can be interpolated into network requests. | LLM | SKILL.md:180 | |
| MEDIUM | Potential Prompt Injection in reasoning step prompt_context The `reasoning` step type includes a `prompt_context` field, which is explicitly designed to be presented to an agent for decision-making. If an attacker can control the content of this `prompt_context` through untrusted workflow definitions, they could inject malicious instructions or manipulate the agent's behavior. Implement robust sanitization and filtering for `prompt_context` content if it can be influenced by untrusted input. Clearly delineate trusted instructions from untrusted data within the prompt presented to the agent. Consider using a separate, isolated LLM call for untrusted content analysis. | LLM | SKILL.md:165 | |
| LOW | Unpinned Dependency in Skill Installation Instructions The installation instruction `go install github.com/rendis/opcode/cmd/opcode@latest` uses `@latest`, which means the exact version of the dependency is not pinned. This introduces a supply chain risk, as a malicious update to the `opcode` repository could be automatically pulled and installed without explicit review, potentially compromising the system where the skill is installed. Pin the dependency to a specific, immutable version (e.g., `github.com/rendis/opcode/cmd/opcode@v1.2.1`) to ensure deterministic and auditable installations. Update the manifest's `openclaw-install-package` to reflect a pinned version if applicable. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/295f25ddcf1a7175)
Powered by SkillShield