Security Audit

payment-application-generator

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

payment-application-generator received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Write / Data Exfiltration via uncontrolled output path.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Arbitrary File Write / Data Exfiltration via uncontrolled output path The `export_application` function writes an Excel file to a path specified by the `output_path` argument. If this argument is controlled by untrusted input, an attacker could specify an arbitrary file path, leading to: 1) writing files to sensitive system locations (arbitrary file write), potentially overwriting critical files or placing malicious content; or 2) writing sensitive financial data (project name, contractor, owner, contract sums, payment details) to publicly accessible directories, leading to data exfiltration. Validate and sanitize the `output_path` argument to ensure it points only to allowed, non-sensitive directories, ideally within a sandboxed or temporary location. Consider restricting file writes to a specific, secure directory or using a file picker/save dialog in the UI rather than directly accepting a string path from untrusted input.	LLM	SKILL.md:240
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/datadrivenconstruction/payment-application-generator/SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/067b92a1d871a6c9.svg)](https://skillshield.io/report/067b92a1d871a6c9)