Trust Assessment
openclaw-checkpoint received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 11 critical, 3 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, File read + network send exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:339 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:418 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:417 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:33 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:43 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:280 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:356 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:452 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:43 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:280 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:356 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:417 | |
| HIGH | Sensitive data exposure if backup repository is public The skill's primary function is to back up highly sensitive user data (identity, memory, conversation history, configurations) to a Git repository. The skill explicitly warns that this repository *must* be private. However, if a user inadvertently or maliciously makes the repository public, all backed-up sensitive data will be exposed. While the skill provides warnings, the potential for user error leading to critical data exposure is high given the nature of the data being backed up. Implement a check within `checkpoint-setup` or `checkpoint-backup` to verify the repository's visibility (e.g., using GitHub API) and warn/fail if it's public. Add a more prominent, interactive confirmation during setup that the user understands the implications of a private repository. | LLM | SKILL.md:190 | |
| HIGH | Untrusted code execution via `curl | bash` quick install The "Quick Install" method instructs users to execute a remote shell script directly via `curl -fsSL ... | bash`. This pattern is a significant supply chain risk. If the remote script hosted at `https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/main/scripts/install-openclaw-checkpoint.sh` were compromised, it could lead to arbitrary code execution on the user's machine with their current privileges. Although the skill advises reviewing the script, many users may bypass this step, increasing their exposure to malicious code. Prioritize the Git Clone method as the primary installation instruction. For the quick install, provide a checksum (e.g., SHA256) for the script that users can verify before execution. Alternatively, instruct users to download the script first, inspect it, and then execute it locally. | LLM | SKILL.md:50 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:34 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/anthonyfrancis/openclaw-checkpoint/SKILL.md:33 |
Scan History
Embed Code
[](https://skillshield.io/report/68152da65530f225)
Powered by SkillShield