Trust Assessment
prompts-workflow received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 4 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Sensitive environment variable access: $GITHUB_COUNT.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/hhhh124hhhh/prompts-workflow/main.js:183 | |
| CRITICAL | Arbitrary code execution via CLAWD_ROOT environment variable The skill uses the `CLAWD_ROOT` environment variable to determine the base directory for various executable scripts and CLI tools. If an attacker can control this environment variable, they can redirect the skill to execute arbitrary scripts (`.js`, `.sh`, `.py`) or malicious versions of `clawdbot` and `clawdhub` from an attacker-controlled directory. This allows for arbitrary code execution with the privileges of the skill, affecting `main.js`, `scripts/collect.sh`, and `scripts/publish.sh`. Avoid using environment variables to determine paths for executable scripts or tools. Instead, use fixed, internal paths relative to the skill's installation directory, or ensure that `CLAWD_ROOT` is sanitized or validated if it must be configurable. For CLI tools like `clawdbot` and `clawdhub`, use their absolute paths or ensure they are resolved from a trusted system PATH. | LLM | main.js:16 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/hhhh124hhhh/prompts-workflow/main.js:7 | |
| HIGH | Potential data exfiltration via `git push` to attacker-controlled repository The `collect.sh` script performs `git add`, `git commit`, and `git push origin master` operations. If an attacker can control the `CLAWD_ROOT` environment variable (as described in the command injection finding), they could point the script to a malicious Git repository. This would allow the collected prompt data (`.jsonl` files) to be committed and pushed to an attacker-controlled remote, leading to data exfiltration. Ensure `CLAWD_ROOT` is a trusted, fixed path. If `git` operations are necessary, ensure the repository URL is hardcoded or validated against a whitelist, and that sensitive data is not committed or pushed to untrusted remotes. | LLM | scripts/collect.sh:208 | |
| HIGH | Potential credential harvesting via injected `clawdhub` CLI The `publish.sh` script invokes the `clawdhub` CLI tool for authentication checks and publishing. If an attacker can control the `CLAWD_ROOT` environment variable (as described in the command injection finding), they could inject a malicious `clawdhub` executable. This malicious executable could then intercept and harvest authentication tokens or other credentials used by the legitimate `clawdhub` CLI. Ensure `CLAWD_ROOT` is a trusted, fixed path. Always use absolute paths for critical CLI tools like `clawdhub` or ensure they are resolved from a trusted system PATH. Avoid passing sensitive credentials via command-line arguments or environment variables if possible. | LLM | scripts/publish.sh:53 | |
| HIGH | Excessive permissions and supply chain risk via publishing malicious skills The `publish.sh` script is designed to publish skills to ClawdHub. If an attacker can control the `CLAWD_ROOT` environment variable (as described in the command injection finding), they could manipulate the `DIST_DIR` to contain malicious skill packages. The `clawdhub publish` command would then publish these attacker-controlled skills to ClawdHub, potentially introducing malicious code into the ClawdHub ecosystem and posing a supply chain risk to users who install these skills. Ensure `CLAWD_ROOT` and `DIST_DIR` are trusted, fixed paths. Implement strict validation and sandboxing for skill packages before publishing them to a public repository like ClawdHub. | LLM | scripts/publish.sh:100 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_COUNT Access to sensitive environment variable '$GITHUB_COUNT' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/hhhh124hhhh/prompts-workflow/scripts/collect.sh:49 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/hhhh124hhhh/prompts-workflow/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/5d9c946d8023a670)
Powered by SkillShield