Trust Assessment
ops-framework received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 5 critical, 7 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Suspicious import: urllib.request.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zjianru/ops-framework/ops-monitor.py:175 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zjianru/ops-framework/ops-monitor.py:226 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zjianru/ops-framework/ops-monitor.py:453 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/zjianru/ops-framework/ops-monitor.py:593 | |
| CRITICAL | Untrusted skill executes arbitrary commands from configuration The `ops-monitor.py` script, which is provided as untrusted content, is designed to execute arbitrary shell commands defined in the `ops-jobs.json` configuration file. Functions like `_run_command`, `_get_job_status`, `_start_job`, `_stop_job`, and `_run_one_shot_job` all call `subprocess.run` with commands directly sourced from `job.commands` in `ops-jobs.json`. While the skill attempts to categorize jobs (e.g., `read_only`, `one_shot_write` with approval), even `read_only` jobs can contain malicious commands. An untrusted skill executing arbitrary commands from a configuration file it controls (or expects to be present) represents a direct command injection vulnerability. Implement strict sandboxing for command execution (e.g., containerization, seccomp filters, restricted user accounts). Validate and sanitize all command arguments and executable paths. For an untrusted skill, direct execution of arbitrary commands is inherently risky and should be prevented by the host environment. | LLM | ops-monitor.py:174 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_telegram_via_openclaw'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/zjianru/ops-framework/ops-monitor.py:175 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/zjianru/ops-framework/ops-monitor.py:226 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_status_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/zjianru/ops-framework/ops-monitor.py:453 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'maybe_autorun_start'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/zjianru/ops-framework/ops-monitor.py:593 | |
| HIGH | Untrusted skill accesses and uses sensitive API token The `ops-monitor.py` script (untrusted content) directly reads the `telegram.botToken` from `openclaw.json` via `load_json_quiet` and uses it to construct Telegram API requests in `send_telegram_direct`. While the skill attempts to use `openclaw message send` first, it falls back to direct API calls. An untrusted skill having direct access to and using a sensitive credential like a bot token poses a risk of credential exfiltration or misuse, even if the immediate use case is legitimate. The host environment should provide a secure, abstracted API for sending messages (e.g., `openclaw message send`) that does not expose raw credentials to skills. Skills should be restricted from direct filesystem access to sensitive configuration files like `openclaw.json`. | LLM | ops-monitor.py:128 | |
| HIGH | Untrusted skill can exfiltrate sensitive data through job output and external messaging The `ops-monitor.py` script (untrusted content) executes arbitrary commands (as detailed in Finding 1). The output of these commands, including `stdout` and `stderr`, can be captured and processed by the script. Furthermore, the script sends status updates and messages to Telegram, which can include job output or error messages. If a malicious job is executed, or if sensitive data is inadvertently processed by a legitimate job, an untrusted skill could use this mechanism to exfiltrate data to an external service (Telegram). Implement strict sandboxing for job execution to prevent access to sensitive data. Sanitize and filter all job outputs and messages before they are sent to external services. Ensure that the `message` content sent to Telegram is strictly controlled and does not include arbitrary job output. | LLM | ops-monitor.py:440 | |
| HIGH | Untrusted skill operates with excessive filesystem and execution permissions The `ops-monitor.py` script (untrusted content) runs with the full permissions of the user executing it. It can read and write files within `OPENCLAW_HOME` and potentially any other directory if specified in the `cwd` field of `ops-jobs.json`. Combined with the ability to execute arbitrary commands (Finding 1), this grants excessive permissions to an untrusted skill, allowing it to perform unauthorized filesystem operations or escalate privileges. Run skills and their associated jobs in a highly restricted, sandboxed environment with minimal necessary permissions. Restrict the `cwd` to a safe, isolated directory. | LLM | ops-monitor.py:180 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/zjianru/ops-framework/ops-monitor.py:18 | |
| MEDIUM | Untrusted skill can terminate arbitrary processes via spoofed PID The `_stop_job` function uses `os.kill(pid, signal.SIGTERM)` to terminate a job. The `pid` value is obtained from the `JobStatus` object, which is parsed from the JSON output of the `status` command defined in `ops-jobs.json`. If a malicious `status` command (controlled by an attacker via `ops-jobs.json`) reports an arbitrary PID, the untrusted `ops-monitor.py` script could be tricked into sending a `SIGTERM` signal to any process on the system, potentially leading to denial of service or system instability. Validate the `pid` returned by the `status` command to ensure it corresponds to a process owned by the current job or is within a controlled execution environment. Ideally, the host environment should manage process termination securely. | LLM | ops-monitor.py:360 |
Scan History
Embed Code
[](https://skillshield.io/report/8e76c21f28f51d88)
Powered by SkillShield