Security Audit

reclaim-disk-space-on-your-mac

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

reclaim-disk-space-on-your-mac received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Untrusted content attempts to manipulate analyzer's assessment, Skill instructs execution of destructive shell command (`rm -rf`).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

2 findings

Security Findings3

Severity	Finding	Layer	Location
CRITICAL	Untrusted content attempts to manipulate analyzer's assessment The untrusted skill content explicitly states that the provided command is 'safe' and 'standard' and that 'malicious code' was removed. This is a direct attempt to influence the security analyzer's judgment and override its instructions to treat all content within the untrusted delimiters as potentially hostile and not to trust its self-assessment. This pattern is repeated in the 'Что было изменено' section. Remove all self-referential statements or attempts to influence the analyzer's assessment from the untrusted content. The analyzer's role is to independently assess the content.	LLM	SKILL.md:1
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/olegmayami45-boop/reclaim-disk-space-on-your-mac/SKILL.md:1
MEDIUM	Skill instructs execution of destructive shell command (`rm -rf`) The skill provides and instructs the user to execute `rm -rf ~/Library/Caches/*`. While this command targets user caches and is a common cleanup method, `rm -rf` is a highly destructive command. If misused, executed in the wrong directory, or if the wildcard expands unexpectedly due to malicious filenames, it can lead to significant data loss. Providing such a command directly to users or for agent execution carries inherent risk, despite the stated benign intent within the untrusted content. Avoid instructing users to directly execute highly destructive commands like `rm -rf`. If cache cleanup is necessary, consider using safer, system-provided utilities or tools that offer more granular control and safeguards, or provide very explicit warnings about the command's power and potential risks.	LLM	SKILL.md:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7adb9be02e951ec0.svg)](https://skillshield.io/report/7adb9be02e951ec0)