Security Audit

openclaw-ledger-pro

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openclaw-ledger-pro received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Broad File System Access via User-Controlled Workspace.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
MEDIUM	Broad File System Access via User-Controlled Workspace The `snapshot_workspace` function, used by core commands like `init` and `record`, iterates over the entire directory tree of the user-provided `workspace` path using `os.walk(ws)`. While some directories are explicitly skipped (`SKIP_DIRS`), a malicious or careless user could specify a broad or sensitive directory (e.g., `/`, `/home/user`) as the workspace. This allows the skill to read and hash the contents of potentially sensitive files, gathering extensive file system metadata for reconnaissance purposes, even though the data is stored locally and not exfiltrated over a network. The truncation of the provided `scripts/ledger.py` means further analysis of other commands (e.g., `restore`, `protect`) is not possible, but this specific vulnerability is evident in the available code. Implement stricter validation on the `workspace` path to ensure it is confined to an expected, limited scope (e.g., a dedicated project directory). If broad access is truly necessary, require explicit, interactive user confirmation for paths outside a safe default. The host environment should also enforce sandboxing or least-privilege access controls for skill execution.	LLM	scripts/ledger.py:200

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b218f2876ae1f87a.svg)](https://skillshield.io/report/b218f2876ae1f87a)