Security Audit

r2

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

r2 received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 7 findings: 1 critical, 2 high, 4 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned rclone installation via curl | sudo bash, R2 credentials exposed in command-line arguments.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

26%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

6 findings

Dynamic Code

1 finding

Excessive Permissions

6 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Unpinned rclone installation via curl \| sudo bash The skill installs `rclone` by piping a script from `rclone.org` directly to `sudo bash`. This method is highly insecure as it executes arbitrary code from the internet with root privileges without version pinning or content verification. A compromise of `rclone.org` or a man-in-the-middle attack could lead to full system compromise. Avoid piping `curl` to `sudo bash`. Instead, use a package manager (e.g., `apt`, `yum`, `brew`) if available, or download a specific, checksummed binary. If a script must be used, download it, review it, and execute it without `sudo` unless absolutely necessary, and ideally in a sandboxed environment.	LLM	SKILL.md:20
HIGH	R2 credentials exposed in command-line arguments The `r2-setup` command in `SKILL.md` and `scripts/setup.sh` allows passing the `R2_CONFIG` JSON directly as a command-line argument (`--config '{"access_key_id":"...", ...}'`). This exposes sensitive credentials (access key, secret key) in shell history, process listings (`ps aux`), and potentially logs, making them vulnerable to harvesting by other users or processes on the system. Avoid passing sensitive information directly as command-line arguments. Use environment variables (as suggested by `R2_CONFIG` in the manifest), secure configuration files with restricted permissions, or interactive prompts that mask input.	LLM	SKILL.md:44
HIGH	Potential command injection in setup.sh via CONFIG_JSON The `scripts/setup.sh` script uses `echo "$CONFIG_JSON" \| python3 -c "..."` to validate and parse the `CONFIG_JSON` input. If `CONFIG_JSON` contains shell metacharacters (e.g., `$(command)`, backticks `` ` ``), these could be interpreted by the shell before being passed to `echo` or `python3`, leading to arbitrary command execution. Do not pass untrusted input directly to `echo` and then pipe it to another command if shell metacharacters could be present. Instead, pass the JSON string directly to `python3` as an argument, or write it to a temporary file and then read it with `python3`. For example, `python3 -c "import json,sys; print(json.loads(sys.argv[1]).get('access_key_id',''))" "$CONFIG_JSON"`.	LLM	scripts/setup.sh:39
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/junwatu/r2-storage/scripts/setup.sh:7
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/junwatu/r2-storage/scripts/show-creds.sh:7
MEDIUM	show-creds.sh explicitly displays R2 credentials The `scripts/show-creds.sh` script is designed to display the configured R2 access key, secret key, and endpoint. While this is an intended feature, it poses a data exfiltration risk if an attacker gains control of the agent and can execute this script. The `--raw` option facilitates programmatic extraction. Implement stricter access controls for this script. Consider if displaying raw credentials is truly necessary, or if a masked/redacted output would suffice for most use cases. If raw output is needed, ensure it's only accessible to highly privileged users or in secure environments.	LLM	scripts/show-creds.sh:40
MEDIUM	Skill allows arbitrary local file access for R2 operations The `upload.sh`, `download.sh`, and `sync.sh` scripts accept arbitrary local paths as arguments (`LOCAL_PATH`, `DEST`, `SRC`, `DST`). This means the skill can be instructed to read any file on the local filesystem (that the agent has permissions for) and upload it to R2, or download files from R2 to any local path, potentially overwriting critical system files or performing path traversal attacks (e.g., `../etc/passwd`). While `rclone` itself handles paths, the lack of explicit validation or restriction on the local paths passed by the skill's wrapper scripts constitutes an excessive permission risk. Implement input validation and sanitization for local paths. Restrict local file operations to a designated working directory or a set of allowed directories. Prevent path traversal by normalizing paths or rejecting paths containing `..`.	LLM	scripts/upload.sh:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8597f35b24c549c7.svg)](https://skillshield.io/report/8597f35b24c549c7)