Trust Assessment
openclaw-security-monitor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 52 findings: 23 critical, 5 high, 22 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings52
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/dashboard.sh:163 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-03-reverse-shells.sh:91 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-22-persistence.sh:35 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-22-persistence.sh:38 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-22-persistence.sh:52 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/scan.sh:559 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-31-internet-expose.sh:157 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-31-internet-expose.sh:158 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-16-env-leakage.sh:16 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-16-env-leakage.sh:17 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-16-env-leakage.sh:18 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-29-plaintext-creds.sh:65 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/scan.sh:371 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/adibirzu/openclaw-security-monitor/dashboard/server.js:307 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/scan.sh:328 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/adibirzu/openclaw-security-monitor/dashboard/server.js:5 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/adibirzu/openclaw-security-monitor/dashboard/server.js:44 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/adibirzu/openclaw-security-monitor/dashboard/server.js:53 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/adibirzu/openclaw-security-monitor/dashboard/server.js:62 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-06-curl-pipe.sh:78 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-28-nodejs-cve.sh:59 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-06-curl-pipe.sh:78 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-28-nodejs-cve.sh:59 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-31-internet-expose.sh:157 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-31-internet-expose.sh:158 | |
| HIGH | Unrestricted Shell Execution in Dashboard Server The `dashboard/server.js` file uses `child_process.execFile` with `/bin/bash` to execute shell scripts. While the scripts themselves are local, the `args` parameter to `execFile` is constructed from user-controlled URL query parameters. If not properly sanitized, this could lead to command injection by an attacker manipulating the URL to execute arbitrary commands on the host system. Specifically, `runScript(scriptName, args = [])` and `runRemediateScript(scriptPath, args = [])` directly pass `args` from the request to `execFile` without explicit sanitization for shell metacharacters. Implement robust input validation and sanitization for all URL query parameters that are passed as arguments to shell scripts. Ensure that arguments are treated as literal strings and not interpreted as shell commands. Consider using `execFile` with a specific executable and passing arguments as an array, ensuring no shell interpretation, or escape all arguments using a function like `shell_escape` before passing them to `execFile`. | LLM | dashboard/server.js:40 | |
| HIGH | Unrestricted Shell Execution in Dashboard Server (Remediation Scripts) Similar to the `runScript` function, `runRemediateScript` also uses `child_process.execFile` with `/bin/bash` and passes `args` directly from potentially user-controlled input. This creates a command injection vulnerability if an attacker can manipulate the `args` to execute arbitrary commands on the host system. Implement robust input validation and sanitization for all URL query parameters that are passed as arguments to remediation scripts. Ensure that arguments are treated as literal strings and not interpreted as shell commands. Escape all arguments using a function like `shell_escape` before passing them to `execFile`. | LLM | dashboard/server.js:54 | |
| HIGH | Unrestricted Shell Execution in Dashboard Server (Arbitrary Commands) The `dashboard/server.js` file includes a `runCmd` function that directly executes an arbitrary command (`cmd`) with arguments (`args`) using `child_process.execFile`. While the current usage within the provided code might be for trusted internal commands, exposing this function to user-controlled input (e.g., via API endpoints) without strict validation would be a critical command injection vulnerability. The `cmd` and `args` are directly passed to `execFile`. Avoid executing arbitrary commands from user input. If external commands must be executed, use a strict whitelist of allowed commands and arguments. Ensure all arguments are properly escaped or passed as an array to `execFile` to prevent shell interpretation. Review all call sites of `runCmd` to ensure `cmd` and `args` are never derived from untrusted input. | LLM | dashboard/server.js:47 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/daily-scan-cron.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/dashboard.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/_common.sh:6 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-16-env-leakage.sh:16 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-16-env-leakage.sh:17 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-16-env-leakage.sh:18 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-22-persistence.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-24-log-redaction.sh:57 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-27-docker-sec.sh:34 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-27-docker-sec.sh:76 | |
| MEDIUM | Sensitive environment variable access: $OPENAI_API_KEY Access to sensitive environment variable '$OPENAI_API_KEY' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-29-plaintext-creds.sh:67 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-29-plaintext-creds.sh:65 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate/check-30-vscode-trojans.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/remediate.sh:19 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/scan.sh:17 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/adibirzu/openclaw-security-monitor/scripts/scan.sh:371 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/telegram-setup.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/update-ioc.sh:17 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_REPO Access to sensitive environment variable '$GITHUB_REPO' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/adibirzu/openclaw-security-monitor/scripts/update-ioc.sh:45 | |
| MEDIUM | Telegram Bot Token Exposure via Environment Variable The `daily-scan-cron.sh` and `telegram-setup.sh` scripts rely on the `OPENCLAW_TELEGRAM_TOKEN` environment variable for Telegram API authentication. While using environment variables is generally better than hardcoding, it still poses a risk if the environment is accessible to other processes or if the variable is inadvertently logged or exposed. The `telegram-setup.sh` script also attempts to auto-discover the chat ID by calling `getUpdates` which requires the token, and then stores the chat ID in a file, which could be sensitive. Consider using a more secure secrets management solution, such as a dedicated secrets vault or a platform-specific secrets store, instead of plain environment variables. Ensure that logs do not capture the `TELEGRAM_TOKEN` value. Implement strict file permissions for `telegram-chat-id` to prevent unauthorized access. | LLM | scripts/daily-scan-cron.sh:49 | |
| MEDIUM | Telegram Chat ID Stored in Plaintext File The `daily-scan-cron.sh` and `telegram-setup.sh` scripts store the Telegram chat ID in a plaintext file (`$LOG_DIR/telegram-chat-id`). While the chat ID itself might not be a secret, its combination with a bot token allows sending messages to that chat. If this file is compromised, an attacker could potentially send spoofed security alerts or other messages to the configured Telegram chat. Ensure strict file permissions (e.g., 600) for the `telegram-chat-id` file to restrict access to the owner only. Consider encrypting this file at rest or using a secure configuration store if the platform provides one. The `check-21-session-perms.sh` and `check-24-log-redaction.sh` scripts attempt to fix permissions for log files, but explicitly mentioning `telegram-chat-id` would be beneficial. | LLM | scripts/daily-scan-cron.sh:50 | |
| MEDIUM | Unpinned Upstream IOC Repository The `update-ioc.sh` script fetches IOC data from a GitHub repository (`https://raw.githubusercontent.com/adibirzu/openclaw-security-monitor/main/ioc`). This URL points to the `main` branch, which means updates are unpinned and could change at any time. If the upstream repository is compromised, malicious IOC data could be injected, potentially leading to false positives, denial of service, or even command injection if the IOC patterns are not properly sanitized before use by `grep` or other tools (though current usage of `grep -E` with escaped patterns mitigates direct shell injection, regex injection remains a possibility). Pin the upstream IOC repository to a specific commit hash or tag to ensure deterministic updates. Implement cryptographic verification (e.g., GPG signatures or checksums) for fetched IOC files to detect tampering. Regularly audit the upstream repository for suspicious changes. | LLM | scripts/update-ioc.sh:17 | |
| LOW | Potential Command Injection in `crontab -l` Output Processing In `check-22-persistence.sh`, the script processes the output of `crontab -l` line by line. While the `grep` patterns are hardcoded, if a malicious cron job entry were to contain specific shell metacharacters that are then used in an unquoted context later in the script (e.g., if the `line` variable were used directly in an `eval` or unquoted command), it could lead to command injection. Currently, the script only logs and provides guidance, but it's a pattern to be aware of. Ensure that any variables derived from external command output (like `crontab -l`) are always properly quoted when used in subsequent commands, especially if they might contain user-controlled or untrusted data. In this specific case, the risk is low as `line` is only used in `log` and `guidance` which are safe, but it's a good practice to highlight. | LLM | scripts/remediate/check-22-persistence.sh:40 | |
| LOW | Potential Command Injection in `find` Output Processing Several scripts use `find ... -print0` and `while IFS= read -r -d '' var; do ... done < <(find ...)` to safely iterate over file paths containing special characters. However, in `check-22-persistence.sh`, the `find` command for system LaunchDaemons (`find "$LAUNCH_DAEMONS_DIR" -type f -name "*.plist" 2>/dev/null`) is not piped to `read -r -d ''`, meaning it processes filenames with spaces or special characters less robustly. While `plist` is used in `log` and `guidance` (which are safe), it's a deviation from the safer pattern used elsewhere. Consistently use `find ... -print0 | while IFS= read -r -d '' var; do ... done` for processing file paths to handle filenames with spaces or special characters safely across all scripts. | LLM | scripts/remediate/check-22-persistence.sh:67 |
Scan History
Embed Code
[](https://skillshield.io/report/2fd1b44848aef920)
Powered by SkillShield