Security Audit

pingdom

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pingdom received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via unsanitized check ID, Potential Command Injection via unsanitized POST data.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Potential Command Injection via unsanitized check ID The skill documentation demonstrates a `curl` command that uses `{checkId}` as a dynamic parameter. If this parameter is populated directly from untrusted user input without proper sanitization or shell escaping, an attacker could inject arbitrary shell commands. This could lead to remote code execution and potential exfiltration of the `PINGDOM_API_TOKEN`. Ensure all user-provided inputs used in shell commands are properly sanitized and shell-escaped. For Python, use `shlex.quote()` for arguments. Prefer using a dedicated HTTP client library (e.g., `requests` in Python) instead of direct shell execution to mitigate command injection risks.	LLM	SKILL.md:13
HIGH	Potential Command Injection via unsanitized POST data The skill documentation demonstrates a `curl` POST command where `name` and `host` parameters are part of the JSON payload. If these values are populated directly from untrusted user input without proper sanitization or shell escaping, an attacker could inject arbitrary shell commands. This could lead to remote code execution and potential exfiltration of the `PINGDOM_API_TOKEN`. Ensure all user-provided inputs used in shell commands are properly sanitized and shell-escaped. For Python, use `shlex.quote()` for arguments. Prefer using a dedicated HTTP client library (e.g., `requests` in Python) instead of direct shell execution to mitigate command injection risks. Additionally, when constructing JSON for `curl`, ensure that dynamic values are properly JSON-escaped before being shell-escaped.	LLM	SKILL.md:19

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c41f34093c0ed551.svg)](https://skillshield.io/report/c41f34093c0ed551)