Security Audit

price-monitor

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

price-monitor received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Potential Command Injection via `curl` parameters.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Potential Command Injection via `curl` parameters The skill describes using `curl` to fetch data from CoinGecko, with parameters like `ids` and `vs_currencies` expected to be derived from user input. While the skill explicitly recommends "Validate user input for coin IDs (alphanumeric and hyphens only)", the actual implementation of this validation is not provided within the skill description. If the host LLM or the skill's execution environment constructs the `curl` command by directly interpolating unvalidated user input into the URL or shell command string, it could lead to command injection. An attacker could craft malicious input (e.g., `ids=bitcoin,ethereum%60%3Bevil_command%3B%60`) to execute arbitrary shell commands. Ensure all user-provided inputs used in shell commands (especially URL parameters like `ids` and `vs_currencies`) are strictly validated against an allow-list of expected characters (alphanumeric, hyphens, commas) and properly escaped using `shlex.quote` or equivalent before being passed to `curl` or any other shell command. Implement robust input sanitization at the point of command construction.	LLM	SKILL.md:19
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/sa9saq/price-monitor/SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1e992326c3bf8135.svg)](https://skillshield.io/report/1e992326c3bf8135)