Trust Assessment
project-context-sync received a trust score of 38/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 0 critical, 3 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive path access: AI agent config, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/joe3112/project-context-sync/SKILL.md:96 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/joe3112/project-context-sync/SKILL.md:111 | |
| HIGH | Prompt Injection via Git Commit Metadata The `update-context.sh` script constructs an LLM prompt using various pieces of git repository information, including commit messages (`LAST_MSG`), changed file lists (`FILES_LIST`), and recent commit summaries (`RECENT`). An attacker who can make commits to the repository (e.g., a malicious contributor or via a compromised account) could craft commit messages or file names containing prompt injection payloads. These payloads would then be included verbatim in the LLM prompt, potentially manipulating the LLM's behavior to generate malicious content, reveal sensitive information, or perform unintended actions. Sanitize or filter user-controlled git content (commit messages, file names) before including it in the LLM prompt. Implement a robust input validation mechanism to remove or escape characters that could be interpreted as prompt injection commands. Alternatively, use a separate, less privileged LLM call for summarization if the main LLM is sensitive, or explicitly warn users about the risks of untrusted commit content. | LLM | scripts/update-context.sh:120 | |
| MEDIUM | Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/joe3112/project-context-sync/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/joe3112/project-context-sync/scripts/update-context.sh:184 | |
| MEDIUM | Potential Data Exfiltration via Misconfigured LLM Gateway The `update-context.sh` script reads the `gateway.auth.token` and `gateway.port` from `~/.clawdbot/clawdbot.json` and uses them to make a `curl` request to an LLM gateway. The `PROMPT` sent to the gateway contains potentially sensitive git repository information (commit messages, file names, diffs). While the documentation states the default `clawdbot` gateway binding is `loopback` (localhost), the script itself does not enforce this. If the `clawdbot.json` configuration is modified to point `GATEWAY_URL` to an external or malicious server, the `GATEWAY_TOKEN` and the sensitive git repository data could be exfiltrated to an attacker-controlled endpoint. Add a check within `update-context.sh` to verify that the `GATEWAY_URL` is a loopback address (e.g., `localhost`, `127.0.0.1`) before sending the `Authorization` token and sensitive data. If an external URL is detected, either refuse to proceed or issue a prominent warning to the user. Alternatively, ensure `clawdbot` itself strictly enforces loopback binding for token-authenticated endpoints by default and provides clear warnings if this is overridden. | LLM | scripts/update-context.sh:178 |
Scan History
Embed Code
[](https://skillshield.io/report/826d5e6cef3398c6)
Powered by SkillShield