Security Audit

registry-broker

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

registry-broker received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 2 critical, 0 high, 4 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: Shell RC file modification, Unescaped user input in curl JSON payload.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

79%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

4 findings

Shell Execution

6 findings

Dynamic Code

3 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/kantorcodes/registry-broker-skills/examples/search-and-chat.js:30
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/kantorcodes/registry-broker-skills/scripts/search.sh:23
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/kantorcodes/registry-broker-skills/scripts/search.sh:23
MEDIUM	Unescaped user input in curl JSON payload The `chat.sh` script directly interpolates user-provided arguments (`$UAID` and `$MESSAGE`) into JSON strings within `curl -d` commands without proper escaping. If a user provides input containing double quotes (`"`) or backslashes (`\`), it can break the JSON structure, potentially leading to syntax errors or, in a more sophisticated attack, command injection if combined with shell metacharacters that escape the JSON string and execute arbitrary commands. This poses a risk if the script is executed with untrusted input. Use a JSON escaping utility or a more robust method to construct JSON payloads from user input. For example, use `jq -n --arg uaid "$UAID" '{"uaid": $uaid}'` to safely construct the JSON, then pass it to `curl -d @-`.	LLM	scripts/chat.sh:20
MEDIUM	Unescaped user input in curl JSON payload The `chat.sh` script directly interpolates user-provided arguments (`$UAID` and `$MESSAGE`) into JSON strings within `curl -d` commands without proper escaping. If a user provides input containing double quotes (`"`) or backslashes (`\`), it can break the JSON structure, potentially leading to syntax errors or, in a more sophisticated attack, command injection if combined with shell metacharacters that escape the JSON string and execute arbitrary commands. This poses a risk if the script is executed with untrusted input. Use a JSON escaping utility or a more robust method to construct JSON payloads from user input. For example, use `jq -n --arg message "$MESSAGE" --arg sessionId "$SESSION_ID" '{"sessionId": $sessionId, "message": $message}'` to safely construct the JSON, then pass it to `curl -d @-`.	LLM	scripts/chat.sh:36
MEDIUM	Unescaped user input in curl URL path The `resolve.sh` script directly interpolates the user-provided `$UAID` argument into the URL path for the `curl` command. If `$UAID` contains shell metacharacters (e.g., `$(command)`, `\` followed by newline, `&`, `;`), it could lead to command injection, allowing an attacker to execute arbitrary commands on the system where the script is run. This poses a risk if the script is executed with untrusted input. URL-encode the `$UAID` variable before interpolating it into the URL. For example, use `ENCODED_UAID=$(printf '%s' "$UAID" \| jq -sRr @uri)` similar to how `scripts/search.sh` handles its query.	LLM	scripts/resolve.sh:16

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e7ae58c22c3c99a8.svg)](https://skillshield.io/report/e7ae58c22c3c99a8)