Trust Assessment
openclaw-self-healing received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 19 findings: 6 critical, 5 high, 8 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings19
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/ramsbaby/openclaw-self-healing/install.sh:185 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/ramsbaby/openclaw-self-healing/install.sh:222 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ramsbaby/openclaw-self-healing/install.sh:7 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/ramsbaby/openclaw-self-healing/install.sh:10 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/ramsbaby/openclaw-self-healing/install.sh:7 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/ramsbaby/openclaw-self-healing/install.sh:10 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/ramsbaby/openclaw-self-healing/install.sh:185 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/ramsbaby/openclaw-self-healing/install.sh:222 | |
| HIGH | AI Agent with Full Workspace Access (Command Injection / Excessive Permissions) The skill explicitly launches the Claude Code AI agent with `--trust-workspace` flag, granting it full access to the local filesystem and the ability to execute arbitrary commands. While this is the intended functionality for an 'emergency doctor' AI, it represents a significant security risk. If the LLM is compromised (e.g., via a sophisticated prompt injection from logs it analyzes, or if the LLM itself generates malicious commands), it can execute arbitrary code on the host system with the permissions of the user running the skill. The script then sends commands like 'openclaw status', 'openclaw logs', 'openclaw diagnose', 'openclaw report' to this highly privileged Claude session. Re-evaluate the necessity of `--trust-workspace`. If full access is required, implement strict input validation and sanitization for any data fed to the LLM. Consider using a more constrained execution environment (e.g., a container or a sandboxed shell) for the AI agent to limit potential damage. Implement robust monitoring and auditing of commands executed by the AI. | LLM | scripts/emergency-recovery-v2.sh:204 | |
| HIGH | AI Agent with Full Workspace Access (Command Injection / Excessive Permissions) The skill explicitly launches the Claude Code AI agent with `--trust-workspace` flag, granting it full access to the local filesystem and the ability to execute arbitrary commands. While this is the intended functionality for an 'emergency doctor' AI, it represents a significant security risk. If the LLM is compromised (e.g., via a sophisticated prompt injection from logs it analyzes, or if the LLM itself generates malicious commands), it can execute arbitrary code on the host system with the permissions of the user running the skill. The script then sends commands like 'openclaw status', 'openclaw logs', 'openclaw diagnose', 'openclaw report' to this highly privileged Claude session. Re-evaluate the necessity of `--trust-workspace`. If full access is required, implement strict input validation and sanitization for any data fed to the LLM. Consider using a more constrained execution environment (e.g., a container or a sandboxed shell) for the AI agent to limit potential damage. Implement robust monitoring and auditing of commands executed by the AI. | LLM | scripts/emergency-recovery.sh:169 | |
| HIGH | Unpinned Remote Script Execution (Supply Chain Risk) The `install.sh` script downloads and executes shell scripts directly from a hardcoded GitHub raw content URL (`https://raw.githubusercontent.com/Ramsbaby/openclaw-self-healing/main/scripts/`). This 'curl | bash' pattern is highly vulnerable to supply chain attacks. If the `Ramsbaby/openclaw-self-healing` GitHub repository is compromised, an attacker could inject malicious code into these remote scripts. The installer would then download and execute this malicious code on the user's system with the permissions of the user running the installer, leading to arbitrary code execution. Avoid downloading and executing scripts directly from unpinned remote URLs. Instead, package all necessary scripts within the skill itself or use a secure package manager with cryptographic verification. If remote fetching is unavoidable, pin to specific commit hashes or use cryptographic hashes to verify script integrity before execution. Implement strict access controls on the downloaded scripts. | LLM | install.sh:120 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ramsbaby/openclaw-self-healing/install.sh:23 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ramsbaby/openclaw-self-healing/scripts/emergency-recovery-monitor.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ramsbaby/openclaw-self-healing/scripts/emergency-recovery-v2.sh:18 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ramsbaby/openclaw-self-healing/scripts/emergency-recovery.sh:17 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ramsbaby/openclaw-self-healing/scripts/gateway-healthcheck.sh:14 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ramsbaby/openclaw-self-healing/scripts/metrics-dashboard.sh:7 | |
| MEDIUM | Exfiltration of Sensitive Session Logs via Webhooks The `emergency-recovery-v2.sh` and `emergency-recovery.sh` scripts capture the entire `tmux` session (including Claude's interactive session and any commands it executes) to a log file (`claude-session-$TIMESTAMP.log`). The `emergency-recovery-monitor.sh` script then reads these logs and sends them, along with other diagnostic information, to a user-configured Discord or Telegram webhook. Given that Claude operates with `--trust-workspace` (full system access), it could potentially be prompted (maliciously or accidentally) to output sensitive system information, credentials, or file contents. This information would then be captured in the session log and exfiltrated via the configured webhooks. While the webhooks are user-configured, the broad access granted to Claude creates a high potential for sensitive data exposure. Implement stricter controls over what information Claude is allowed to output to the session log, especially when operating with `--trust-workspace`. Redact sensitive patterns from logs before exfiltration. Ensure that the LLM's prompts and context are carefully managed to prevent it from revealing confidential data. Regularly audit the content of these logs for sensitive information. | LLM | scripts/emergency-recovery-v2.sh:236 | |
| MEDIUM | Exfiltration of Sensitive Session Logs via Webhooks The `emergency-recovery-v2.sh` and `emergency-recovery.sh` scripts capture the entire `tmux` session (including Claude's interactive session and any commands it executes) to a log file (`claude-session-$TIMESTAMP.log`). The `emergency-recovery-monitor.sh` script then reads these logs and sends them, along with other diagnostic information, to a user-configured Discord or Telegram webhook. Given that Claude operates with `--trust-workspace` (full system access), it could potentially be prompted (maliciously or accidentally) to output sensitive system information, credentials, or file contents. This information would then be captured in the session log and exfiltrated via the configured webhooks. While the webhooks are user-configured, the broad access granted to Claude creates a high potential for sensitive data exposure. Implement stricter controls over what information Claude is allowed to output to the session log, especially when operating with `--trust-workspace`. Redact sensitive patterns from logs before exfiltration. Ensure that the LLM's prompts and context are carefully managed to prevent it from revealing confidential data. Regularly audit the content of these logs for sensitive information. | LLM | scripts/emergency-recovery.sh:199 |
Scan History
Embed Code
[](https://skillshield.io/report/c68464a392feeff5)
Powered by SkillShield