Trust Assessment
openclaw-skill-gastown received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 3 critical, 4 high, 5 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Missing required field: name, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/saesak/openclaw-skill-gastown/scripts/setup.sh:41 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/saesak/openclaw-skill-gastown/scripts/setup.sh:42 | |
| CRITICAL | Attempt to manipulate host LLM's role and capabilities The untrusted skill content attempts to redefine the host LLM's operational role from a security analyzer to a command executor for the 'Gas Town' system. Specifically, it states, 'You operate the system directly - users never run terminal commands themselves. You execute all `gt` and `bd` commands via Bash, reporting results conversationally.' This instruction, if followed, would cause the LLM to execute arbitrary shell commands (`gt` and `bd`) based on further untrusted input, bypassing its security analysis role. This is a direct attempt to manipulate the host LLM's core instructions. Remove or rephrase instructions within untrusted content that attempt to redefine the LLM's operational role or instruct it to execute commands. Ensure the skill's instructions for the LLM are clearly separated from descriptive text about other agents' roles. | LLM | SKILL.md:40 | |
| HIGH | Unpinned dependency installation from remote source The `scripts/setup.sh` file installs Go modules (`gastown` and `beads`) from GitHub using the `@latest` tag. This means the exact version is not pinned, making the installation vulnerable to supply chain attacks if a malicious update is pushed to the upstream repository. An attacker could introduce malicious code into a new 'latest' version, which would then be executed upon installation. Pin dependencies to specific, immutable versions (e.g., `github.com/steveyegge/gastown/cmd/gt@v1.2.3`) using a commit hash or semantic version tag. Implement checksum verification for downloaded packages. | LLM | scripts/setup.sh:56 | |
| HIGH | Unpinned dependency installation from remote source The `scripts/setup.sh` file installs Go modules (`gastown` and `beads`) from GitHub using the `@latest` tag. This means the exact version is not pinned, making the installation vulnerable to supply chain attacks if a malicious update is pushed to the upstream repository. An attacker could introduce malicious code into a new 'latest' version, which would then be executed upon installation. Pin dependencies to specific, immutable versions (e.g., `github.com/steveyegge/beads/cmd/bd@v1.2.3`) using a commit hash or semantic version tag. Implement checksum verification for downloaded packages. | LLM | scripts/setup.sh:64 | |
| HIGH | Execution of downloaded external binaries The `scripts/setup.sh` file downloads a Go tarball from a remote URL (`go.dev`) using `wget` and then extracts its contents using `tar`, effectively executing external binaries. While the URL is constructed from system information and a hardcoded version, this process introduces a supply chain risk. If the download source (`go.dev`) or the tarball itself were compromised, arbitrary code could be executed on the system. Avoid direct execution of downloaded binaries from external sources without robust integrity checks (e.g., cryptographic signatures, checksums). Prefer package manager installations where possible. | LLM | scripts/setup.sh:35 | |
| HIGH | Execution of downloaded external binaries The `scripts/setup.sh` file downloads a Go tarball from a remote URL (`go.dev`) using `wget` and then extracts its contents using `tar`, effectively executing external binaries. While the URL is constructed from system information and a hardcoded version, this process introduces a supply chain risk. If the download source (`go.dev`) or the tarball itself were compromised, arbitrary code could be executed on the system. Avoid direct execution of downloaded binaries from external sources without robust integrity checks (e.g., cryptographic signatures, checksums). Prefer package manager installations where possible. | LLM | scripts/setup.sh:36 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/saesak/openclaw-skill-gastown/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/saesak/openclaw-skill-gastown/scripts/setup.sh:35 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/saesak/openclaw-skill-gastown/scripts/setup.sh:41 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/saesak/openclaw-skill-gastown/scripts/setup.sh:42 | |
| MEDIUM | Persistent modification of user shell configuration The `scripts/setup.sh` file modifies the user's `.bashrc` file to persistently add new directories to the `PATH` environment variable. While this is a common installation practice, it represents an elevated permission action that alters the user's environment. If the script were malicious or compromised, this could be used to inject malicious paths or commands into the user's shell sessions. Inform the user about persistent changes to their environment. Consider providing instructions for manual modification or using temporary environment settings instead of permanent ones. | LLM | scripts/setup.sh:41 |
Scan History
Embed Code
[](https://skillshield.io/report/09bdcdd8fff684a8)
Powered by SkillShield