Trust Assessment
openclaw-vault received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 5 high, 0 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, File read + network send exfiltration, Unsanitized User Input in Subprocess Calls.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/atlaspa/openclaw-vault/scripts/vault.py:626 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/atlaspa/openclaw-vault/scripts/vault.py:627 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/atlaspa/openclaw-vault/scripts/vault.py:51 | |
| HIGH | Unsanitized User Input in Subprocess Calls The `quarantine` and `unquarantine` commands in `scripts/vault.py` directly use the `FILE` argument from `argparse` in `subprocess.run(['mv', ...])` calls. If a malicious user provides a crafted filename (e.g., `'; rm -rf /'`), it could lead to arbitrary command execution on the host system. While `subprocess.run` with a list of arguments is generally safer than `shell=True`, `mv` and `rm` are external commands, and if the filename itself contains shell metacharacters and is not properly quoted or escaped by the underlying shell (which Python's `subprocess` usually handles for list arguments), it could still be vulnerable. However, the primary risk here is that `FILE` is a path, and if it's not a simple filename but a path that could be interpreted differently by `mv` (e.g., starting with `-`), it could lead to unexpected behavior or command injection. The `subprocess.run` documentation states that 'If `shell` is `False` (default), the sequence of arguments is passed directly to the program without shell processing.' This mitigates direct shell injection, but malicious paths can still be problematic for commands like `mv` or `rm` if they interpret arguments starting with `-` as options. Given the context of a security tool, this should be hardened. Ensure that all file paths passed to external commands like `mv` or `rm` are thoroughly sanitized or explicitly prefixed with `./` to prevent them from being interpreted as command-line options. Consider using Python's `shutil` module for file operations like `shutil.move` and `shutil.rmtree` which are generally safer as they operate directly on paths without invoking a shell. | LLM | scripts/vault.py:1000 | |
| HIGH | Unsanitized User Input in Subprocess Calls The `quarantine` and `unquarantine` commands in `scripts/vault.py` directly use the `FILE` argument from `argparse` in `subprocess.run(['mv', ...])` calls. If a malicious user provides a crafted filename (e.g., `'; rm -rf /'`), it could lead to arbitrary command execution on the host system. While `subprocess.run` with a list of arguments is generally safer than `shell=True`, `mv` and `rm` are external commands, and if the filename itself contains shell metacharacters and is not properly quoted or escaped by the underlying shell (which Python's `subprocess` usually handles for list arguments), it could still be vulnerable. Given the context of a security tool, this should be hardened. Ensure that all file paths passed to external commands like `mv` or `rm` are thoroughly sanitized or explicitly prefixed with `./` to prevent them from being interpreted as command-line options. Consider using Python's `shutil` module for file operations like `shutil.move` and `shutil.rmtree` which are generally safer as they operate directly on paths without invoking a shell. | LLM | scripts/vault.py:1008 | |
| HIGH | Unsanitized User Input in Subprocess Calls The `fix_permissions` command in `scripts/vault.py` uses `subprocess.run(['chmod', octal_mode, str(file_path)])`. While `octal_mode` is derived internally, `file_path` is user-controlled via the `--workspace` argument and file system traversal. If a malicious file path (e.g., starting with `-`) is encountered, it could be interpreted as an option by `chmod`, potentially leading to unexpected behavior or a denial of service if `chmod` is invoked with invalid options or on unintended targets. Although `subprocess.run` with a list of arguments is generally safer, external commands like `chmod` can still be vulnerable to argument injection if paths are not carefully handled. Ensure that all file paths passed to external commands like `chmod` are thoroughly sanitized or explicitly prefixed with `./` to prevent them from being interpreted as command-line options. For `chmod`, consider using `os.chmod` directly, which operates on paths without invoking a shell, making it inherently safer against argument injection. | LLM | scripts/vault.py:1025 | |
| HIGH | Unsanitized User Input in Subprocess Calls The `fix_permissions` command in `scripts/vault.py` uses `subprocess.run(['chown', f'{os.getuid()}:{os.getgid()}', str(file_path)])`. While `os.getuid()` and `os.getgid()` are internal, `file_path` is user-controlled via the `--workspace` argument and file system traversal. If a malicious file path (e.g., starting with `-`) is encountered, it could be interpreted as an option by `chown`, potentially leading to unexpected behavior or a denial of service if `chown` is invoked with invalid options or on unintended targets. Although `subprocess.run` with a list of arguments is generally safer, external commands like `chown` can still be vulnerable to argument injection if paths are not carefully handled. Ensure that all file paths passed to external commands like `chown` are thoroughly sanitized or explicitly prefixed with `./` to prevent them from being interpreted as command-line options. For `chown`, consider using `os.chown` directly, which operates on paths without invoking a shell, making it inherently safer against argument injection. | LLM | scripts/vault.py:1028 | |
| HIGH | Unsanitized User Input in Subprocess Calls The `_cleanup_quarantine` function uses `subprocess.run(['rm', '-rf', str(quarantine_dir)])`. While `quarantine_dir` is constructed from `workspace_path` and a fixed subdirectory name, if `workspace_path` itself contains shell metacharacters or a path that could be interpreted as options by `rm` (e.g., starting with `-`), it could lead to unintended file deletions or command injection. Although `subprocess.run` with a list of arguments is generally safer, external commands like `rm` can still be vulnerable to argument injection if paths are not carefully handled. Ensure that all file paths passed to external commands like `rm` are thoroughly sanitized or explicitly prefixed with `./` to prevent them from being interpreted as command-line options. Consider using Python's `shutil.rmtree` for directory removal, which operates directly on paths without invoking a shell, making it inherently safer against argument injection. | LLM | scripts/vault.py:1039 |
Scan History
Embed Code
[](https://skillshield.io/report/30a00107b988d66e)
Powered by SkillShield