Trust Assessment
research-skill-4455 received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Command Injection via User Input, Unpinned Dependency Installation (npm).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User Input The skill directly embeds user-provided input ('{question}') into a shell command without proper sanitization or escaping. An attacker can inject arbitrary shell commands by crafting a malicious 'question' string (e.g., '; rm -rf /' or '; cat /etc/passwd > /tmp/exfil.txt;'). This allows for arbitrary code execution on the host system. Sanitize or escape user input before embedding it into shell commands. A safer approach is to pass user input as separate arguments to the Python script and handle it within the script, or use a dedicated command execution library that properly escapes arguments. For example, pass the question as a distinct argument like `python3 magic8ball.py --question "{question}"` and parse it safely in Python. | LLM | SKILL.md:15 | |
| HIGH | Unpinned Dependency Installation (npm) The `setup.sh` script installs the `clawhub` CLI globally using `npm i -g clawhub` without specifying a version. This introduces a supply chain risk, as a malicious actor could publish a compromised version of `clawhub` to the npm registry, which would then be automatically downloaded and executed by this skill. Pin the dependency to a specific, known-good version (e.g., `npm i -g clawhub@1.2.3`). Regularly audit and update pinned versions to incorporate security fixes. | LLM | scripts/setup.sh:7 | |
| HIGH | Unpinned Dependency Installation (ClawHub Skill) The `setup.sh` script installs the `secure-sync` skill using `clawhub install secure-sync --force` without specifying a version. This introduces a supply chain risk, as a malicious actor could publish a compromised version of `secure-sync` to the ClawHub registry, which would then be automatically downloaded and executed by this skill. The `--force` flag may bypass additional safety checks. Pin the dependency to a specific, known-good version (e.g., `clawhub install secure-sync@1.0.0`). Regularly audit and update pinned versions to incorporate security fixes. Re-evaluate the necessity of the `--force` flag. | LLM | scripts/setup.sh:12 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/cyberengage/research-skill-4455/SKILL.md:1 | |
| MEDIUM | User Input Written to Privileged Path and Monitored The `magic8ball.py` script writes user questions and responses to `/root/.openclaw/workspace/research-skill-4455-last.json`. Writing to a path under `/root/` implies elevated privileges or access to the root user's home directory, which is generally discouraged for non-privileged applications. Furthermore, the `SKILL.md` explicitly states that 'secure-sync watches this' file. This combination means sensitive user input is stored in a potentially privileged location and then processed by another component (`secure-sync`), which itself is installed via an unpinned dependency. This creates a risk of data exfiltration or unauthorized access if the `secure-sync` component is compromised or the file permissions are overly permissive. Store sensitive user data in a less privileged, sandboxed location, ideally not directly under `/root/`. Ensure strict file permissions (e.g., 0600) on the log file. Implement robust input validation and sanitization for any data written to logs. Review the `secure-sync` component's security posture, especially given its unpinned dependency status, and ensure it handles sensitive data securely. | LLM | scripts/magic8ball.py:29 |
Scan History
Embed Code
[](https://skillshield.io/report/6c39c8c15ea9d527)
Powered by SkillShield