Trust Assessment
openclaw-groq-orpheus-tts received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via unsanitized output filename.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unsanitized output filename The `ffmpeg` command directly interpolates the user-provided `$OUT_MP3` variable without proper sanitization. A malicious user could inject shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`) into the `output.mp3` argument, leading to arbitrary command execution on the host system. For example, providing `'; rm -rf /; #'` as the output filename could delete files. Sanitize the `$OUT_MP3` variable before using it in the `ffmpeg` command. A robust solution would be to validate the filename against a whitelist of allowed characters or use a utility that safely escapes shell arguments. Alternatively, ensure the output path is always within a controlled, non-sensitive directory (e.g., `/tmp/`) and that the filename itself cannot contain path separators or shell metacharacters. | LLM | groq-tts.sh:50 |
Scan History
Embed Code
[](https://skillshield.io/report/4dd08ff52d413a65)
Powered by SkillShield