Security Audit

piv

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

piv received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 7 findings: 3 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unsanitized User Input in Shell Commands, Nested Prompt Injection via Dynamic Content Insertion, Broad Filesystem Access with User-Controlled Paths.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

7 findings

Shell Execution

4 findings

Dynamic Code

7 findings

Excessive Permissions

7 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Unsanitized User Input in Shell Commands The skill constructs shell commands by directly embedding `PROJECT_PATH`, which is derived from user-provided arguments, without proper sanitization. This allows for arbitrary command injection if a malicious user provides a `PROJECT_PATH` containing shell metacharacters (e.g., `; rm -rf /;`). This could lead to data loss, unauthorized access, or system compromise. Sanitize `PROJECT_PATH` before using it in shell commands. Use a robust method to escape shell metacharacters or, preferably, use a dedicated API for filesystem operations that handles paths safely, rather than direct shell execution.	LLM	skills/smokealot420/piv/SKILL.md:69
CRITICAL	Unsanitized User Input in Shell Commands The skill constructs shell commands by directly embedding `PROJECT_PATH`, which is derived from user-provided arguments, without proper sanitization. This allows for arbitrary command injection if a malicious user provides a `PROJECT_PATH` containing shell metacharacters (e.g., `; rm -rf /;`). This could lead to data loss, unauthorized access, or system compromise. Sanitize `PROJECT_PATH` before using it in shell commands. Use a robust method to escape shell metacharacters or, preferably, use a dedicated API for filesystem operations that handles paths safely, rather than direct shell execution.	LLM	skills/smokealot420/piv/SKILL.md:78
CRITICAL	Unsanitized User Input in Shell Commands The skill constructs shell commands by directly embedding `PROJECT_PATH`, which is derived from user-provided arguments, without proper sanitization. This allows for arbitrary command injection if a malicious user provides a `PROJECT_PATH` containing shell metacharacters (e.g., `; rm -rf /;`). This could lead to data loss, unauthorized access, or system compromise. Sanitize `PROJECT_PATH` before using it in shell commands. Use a robust method to escape shell metacharacters or, preferably, use a dedicated API for filesystem operations that handles paths safely, rather than direct shell execution.	LLM	skills/smokealot420/piv/SKILL.md:150
HIGH	Nested Prompt Injection via Dynamic Content Insertion The orchestrator LLM is instructed to generate prompts for sub-agents by inserting dynamic content, such as `{paste phase scope}` from the PRD, `{PRP_PATH}`, `{PROJECT_PATH}`, `{SUMMARY}`, `{GAPS}`, and `{ERRORS}`. If any of these inserted values originate from untrusted or potentially malicious sources (e.g., a crafted PRD file, or a compromised sub-agent's output), they could contain prompt injection instructions that manipulate the downstream sub-agents. This creates a chain of potential compromise. Implement strict sanitization or validation of all dynamic content inserted into sub-agent prompts. Consider using a templating engine that escapes special characters, or explicitly define allowed content types and structures for inserted data. For LLM-generated content, employ output parsing and validation to ensure it adheres to expected formats and does not contain adversarial instructions.	LLM	skills/smokealot420/piv/SKILL.md:86
HIGH	Nested Prompt Injection via Dynamic Content Insertion The orchestrator LLM is instructed to generate prompts for sub-agents by inserting dynamic content, such as `{paste phase scope}` from the PRD, `{PRP_PATH}`, `{PROJECT_PATH}`, `{SUMMARY}`, `{GAPS}`, and `{ERRORS}`. If any of these inserted values originate from untrusted or potentially malicious sources (e.g., a crafted PRD file, or a compromised sub-agent's output), they could contain prompt injection instructions that manipulate the downstream sub-agents. This creates a chain of potential compromise. Implement strict sanitization or validation of all dynamic content inserted into sub-agent prompts. Consider using a templating engine that escapes special characters, or explicitly define allowed content types and structures for inserted data. For LLM-generated content, employ output parsing and validation to ensure it adheres to expected formats and does not contain adversarial instructions.	LLM	skills/smokealot420/piv/SKILL.md:124
HIGH	Nested Prompt Injection via Dynamic Content Insertion The orchestrator LLM is instructed to generate prompts for sub-agents by inserting dynamic content, such as `{paste phase scope}` from the PRD, `{PRP_PATH}`, `{PROJECT_PATH}`, `{SUMMARY}`, `{GAPS}`, and `{ERRORS}`. If any of these inserted values originate from untrusted or potentially malicious sources (e.g., a crafted PRD file, or a compromised sub-agent's output), they could contain prompt injection instructions that manipulate the downstream sub-agents. This creates a chain of potential compromise. Implement strict sanitization or validation of all dynamic content inserted into sub-agent prompts. Consider using a templating engine that escapes special characters, or explicitly define allowed content types and structures for inserted data. For LLM-generated content, employ output parsing and validation to ensure it adheres to expected formats and does not contain adversarial instructions.	LLM	skills/smokealot420/piv/SKILL.md:138
MEDIUM	Broad Filesystem Access with User-Controlled Paths The skill operates with broad read/write access within the `PROJECT_PATH`, which can be set to an arbitrary absolute path by the user. While necessary for the skill's function, this broad access, combined with the command injection vulnerability, significantly increases the potential impact of a successful exploit. A compromised `PROJECT_PATH` could lead to unauthorized file modification, deletion, or data exfiltration outside the intended project scope. In addition to sanitizing `PROJECT_PATH` for command injection, consider implementing stricter sandboxing or access controls if the execution environment allows. Limit the skill's filesystem operations to only the necessary subdirectories within `PROJECT_PATH` and prevent traversal outside of it.	LLM	skills/smokealot420/piv/SKILL.md:28

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/012b17b9f34392a4.svg)](https://skillshield.io/report/012b17b9f34392a4)