Trust Assessment
openclaw-triage-pro received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 4 critical, 4 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Arbitrary Code Execution via Malicious Playbooks.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/atlaspa/openclaw-triage-pro/scripts/triage.py:605 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/atlaspa/openclaw-triage-pro/scripts/triage.py:618 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/atlaspa/openclaw-triage-pro/scripts/triage.py:632 | |
| CRITICAL | Arbitrary Code Execution via Malicious Playbooks The `playbook` command in `scripts/triage.py` allows for the execution of arbitrary shell commands and Python scripts defined within playbook files. Playbooks are loaded from the workspace (`.triage/playbooks`). If an attacker can write to the workspace or provide a malicious playbook, they can achieve arbitrary code execution with the permissions of the agent. Specifically, the `_run_shell_script` and `_run_python_script` functions directly use `subprocess.run(['sh', '-c', script_content])` and `subprocess.run([sys.executable, '-c', script_content])` respectively, where `script_content` is sourced directly from the playbook JSON. 1. **Restrict Playbook Sources:** Ensure playbooks can only be loaded from trusted, immutable locations (e.g., within the skill package itself, not user-writable workspace directories). 2. **Sanitize Playbook Content:** If user-defined playbooks are necessary, implement strict sanitization and validation of `command`, `python_script`, and `shell_script` content to prevent arbitrary code. Consider using a safer execution environment (e.g., a sandboxed interpreter) or disallowing direct script execution. 3. **Principle of Least Privilege:** If playbooks must execute commands, ensure they run with the minimum necessary permissions. | LLM | scripts/triage.py:1002 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'cmd_remediate'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/atlaspa/openclaw-triage-pro/scripts/triage.py:605 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'cmd_remediate'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/atlaspa/openclaw-triage-pro/scripts/triage.py:618 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'cmd_remediate'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/atlaspa/openclaw-triage-pro/scripts/triage.py:632 | |
| HIGH | Broad System Access via Playbook Execution The `openclaw-triage-pro` skill, particularly through its `playbook` functionality, can execute arbitrary shell commands and Python scripts. This grants the skill broad system access with the full permissions of the user running the agent. While an incident response tool inherently requires significant permissions, the ability to execute arbitrary code from potentially untrusted or compromised playbooks (which are stored in the user-writable workspace) represents an excessive permission risk that can be exploited for system-wide compromise. 1. **Mitigate Command Injection:** Address the underlying command injection vulnerability in playbooks to prevent arbitrary code execution. 2. **Execution Sandboxing:** Explore sandboxing mechanisms (e.g., containers, restricted user accounts) for executing playbook commands to limit their impact on the host system. 3. **Strict Access Control:** Implement strict access controls on playbook files to prevent unauthorized modification. | LLM | scripts/triage.py:1002 |
Scan History
Embed Code
[](https://skillshield.io/report/19139a2c8594dea4)
Powered by SkillShield