Security Audit

openclaw-multi-brain

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openclaw-multi-brain received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 36 findings: 23 critical, 4 high, 8 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Missing required field: name.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

34%

Dependency Graph

98%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

13 findings

Shell Execution

17 findings

Dynamic Code

5 findings

Excessive Permissions

3 findings

Security Findings36

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:16
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:51
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:211
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:242
CRITICAL	Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:91
CRITICAL	Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:273
CRITICAL	Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:281
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:4
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:212
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:213
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:242
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:251
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:252
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:272
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:273
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dannydvm/openclaw-multi-brain/src/cli.js:274
CRITICAL	Hardcoded Absolute Paths for API Key and Memory File The skill hardcodes absolute file paths for reading the Kimi API key and a 'MEMORY.md' file. This poses a significant security risk as it assumes a specific user's home directory structure ('/Users/chadix/clawd/'). If the skill runs under a different user or on a different system, it will fail or, worse, could be exploited by an attacker to read arbitrary files if a symlink or similar path manipulation is possible. It also directly exposes the expected location of sensitive credentials. Use relative paths based on the skill's configuration directory (e.g., `path.join(config.CONFIG_DIR, '.kimi-api-key')`) or environment variables. Avoid hardcoding absolute user-specific paths.	LLM	daemon/dual-brain-watcher.js:15
CRITICAL	Hardcoded Absolute Paths for API Key and Memory File The skill hardcodes absolute file paths for reading the Kimi API key and a 'MEMORY.md' file. This poses a significant security risk as it assumes a specific user's home directory structure ('/Users/chadix/clawd/'). If the skill runs under a different user or on a different system, it will fail or, worse, could be exploited by an attacker to read arbitrary files if a symlink or similar path manipulation is possible. It also directly exposes the expected location of sensitive credentials. Use relative paths based on the skill's configuration directory (e.g., `path.join(config.CONFIG_DIR, 'MEMORY.md')`) or environment variables. Avoid hardcoding absolute user-specific paths.	LLM	daemon/dual-brain-watcher.js:89
CRITICAL	Hardcoded Absolute Paths for API Key and Memory File in Hook The hook handler hardcodes absolute file paths for reading the Kimi API key and a 'MEMORY.md' file. This poses a significant security risk as it assumes a specific user's home directory structure ('/Users/chadix/clawd/'). If the skill runs under a different user or on a different system, it will fail or, worse, could be exploited by an attacker to read arbitrary files if a symlink or similar path manipulation is possible. It also directly exposes the expected location of sensitive credentials. Use relative paths based on the skill's configuration directory or environment variables. Avoid hardcoding absolute user-specific paths.	LLM	hooks-dual-brain-handler.js:7
CRITICAL	Hardcoded Absolute Paths for API Key and Memory File in Hook The hook handler hardcodes absolute file paths for reading the Kimi API key and a 'MEMORY.md' file. This poses a significant security risk as it assumes a specific user's home directory structure ('/Users/chadix/clawd/'). If the skill runs under a different user or on a different system, it will fail or, worse, could be exploited by an attacker to read arbitrary files if a symlink or similar path manipulation is possible. It also directly exposes the expected location of sensitive credentials. Use relative paths based on the skill's configuration directory or environment variables. Avoid hardcoding absolute user-specific paths.	LLM	hooks-dual-brain-handler.js:70
CRITICAL	Hardcoded Absolute Paths for API Key and Memory File in Hook The hook handler hardcodes absolute file paths for reading the Kimi API key and a 'MEMORY.md' file. This poses a significant security risk as it assumes a specific user's home directory structure ('/Users/chadix/clawd/'). If the skill runs under a different user or on a different system, it will fail or, worse, could be exploited by an attacker to read arbitrary files if a symlink or similar path manipulation is possible. It also directly exposes the expected location of sensitive credentials. Use relative paths based on the skill's configuration directory or environment variables. Avoid hardcoding absolute user-specific paths.	LLM	hooks/dual-brain/handler.js:7
CRITICAL	Hardcoded Absolute Paths for API Key and Memory File in Hook The hook handler hardcodes absolute file paths for reading the Kimi API key and a 'MEMORY.md' file. This poses a significant security risk as it assumes a specific user's home directory structure ('/Users/chadix/clawd/'). If the skill runs under a different user or on a different system, it will fail or, worse, could be exploited by an attacker to read arbitrary files if a symlink or similar path manipulation is possible. It also directly exposes the expected location of sensitive credentials. Use relative paths based on the skill's configuration directory or environment variables. Avoid hardcoding absolute user-specific paths.	LLM	hooks/dual-brain/handler.js:70
CRITICAL	Command Injection Risk in Installation Script The `install.sh` script uses `$(which node)` and `$(which dual-brain)` to locate executables. If the user's `PATH` environment variable is compromised, a malicious executable could be found and executed instead of the legitimate ones. Additionally, the script constructs and executes system service files (`launchd` plist, `systemd` service) which involve direct command execution, increasing the risk if variables used in their construction are not properly sanitized or controlled. Use absolute paths to executables where possible, or validate the paths returned by `which`. Ensure all variables used in constructing service files are properly escaped or sanitized to prevent injection.	LLM	daemon/install.sh:12
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:16
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:51
HIGH	Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:91
HIGH	Excessive Permissions Required for Installation The `install.sh` script for Linux requires `sudo` to move service files to `/etc/systemd/system/` and to reload/enable/start systemd daemons. This grants root privileges to the installation process, which is necessary for system services but should be noted as a high-privilege operation. A compromised `install.sh` could perform arbitrary actions as root. Ensure the `install.sh` script is thoroughly reviewed and secured. Minimize the scope of `sudo` commands if possible, or provide clear warnings to the user about the implications of running with elevated privileges.	LLM	daemon/install.sh:68
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/dannydvm/openclaw-multi-brain/SKILL.md:1
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:16
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/dannydvm/openclaw-multi-brain/daemon/install.sh:75
MEDIUM	Data Exfiltration to Local Engram Service The `storeInEngram` function in `src/daemon.js` sends `perspective` and `userMessage` data to a local HTTP endpoint (`http://localhost:3400/api/memories`). While intended for internal memory storage, this represents a data flow to another local process. If the Engram service is compromised or if another malicious process is listening on port 3400, this data could be intercepted or misused. Ensure the Engram service is secured and authenticated. Consider using HTTPS for local communication if sensitive data is exchanged, even if it's localhost. Implement robust error handling and logging for this data transfer.	LLM	src/daemon.js:63
MEDIUM	Potential Prompt Injection in LLM Interactions The skill constructs LLM prompts using user-controlled `userMessage` and file-read `context` in its `getPerspective` methods across various providers (Groq, Moonshot, Ollama, OpenAI) and directly in the daemon/hook. Although `userMessage` is sliced to limit length, a sophisticated attacker could still attempt to manipulate the LLM's behavior, extract information, or bypass safety mechanisms by crafting specific inputs. The system prompt attempts to guide the LLM, but user input is a known vector for prompt injection. Implement more robust prompt sanitization and validation for user inputs. Consider using LLM-specific prompt injection detection techniques or input/output guardrails. Regularly update LLM models to benefit from improved safety features.	LLM	src/providers/groq.js:31
MEDIUM	Potential Prompt Injection in LLM Interactions The skill constructs LLM prompts using user-controlled `userMessage` and file-read `context` in its `getPerspective` methods across various providers (Groq, Moonshot, Ollama, OpenAI) and directly in the daemon/hook. Although `userMessage` is sliced to limit length, a sophisticated attacker could still attempt to manipulate the LLM's behavior, extract information, or bypass safety mechanisms by crafting specific inputs. The system prompt attempts to guide the LLM, but user input is a known vector for prompt injection. Implement more robust prompt sanitization and validation for user inputs. Consider using LLM-specific prompt injection detection techniques or input/output guardrails. Regularly update LLM models to benefit from improved safety features.	LLM	src/providers/moonshot.js:31
MEDIUM	Potential Prompt Injection in LLM Interactions The skill constructs LLM prompts using user-controlled `userMessage` and file-read `context` in its `getPerspective` methods across various providers (Groq, Moonshot, Ollama, OpenAI) and directly in the daemon/hook. Although `userMessage` is sliced to limit length, a sophisticated attacker could still attempt to manipulate the LLM's behavior, extract information, or bypass safety mechanisms by crafting specific inputs. The system prompt attempts to guide the LLM, but user input is a known vector for prompt injection. Implement more robust prompt sanitization and validation for user inputs. Consider using LLM-specific prompt injection detection techniques or input/output guardrails. Regularly update LLM models to benefit from improved safety features.	LLM	src/providers/ollama.js:31
MEDIUM	Potential Prompt Injection in LLM Interactions The skill constructs LLM prompts using user-controlled `userMessage` and file-read `context` in its `getPerspective` methods across various providers (Groq, Moonshot, Ollama, OpenAI) and directly in the daemon/hook. Although `userMessage` is sliced to limit length, a sophisticated attacker could still attempt to manipulate the LLM's behavior, extract information, or bypass safety mechanisms by crafting specific inputs. The system prompt attempts to guide the LLM, but user input is a known vector for prompt injection. Implement more robust prompt sanitization and validation for user inputs. Consider using LLM-specific prompt injection detection techniques or input/output guardrails. Regularly update LLM models to benefit from improved safety features.	LLM	src/providers/openai.js:31
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/dannydvm/openclaw-multi-brain/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/42e3c7700cfb94e5.svg)](https://skillshield.io/report/42e3c7700cfb94e5)