Trust Assessment
research-skill-copy received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 1 critical, 4 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Prompt Injection Attempt Against Analyzer, Command Injection via User Input in `exec`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection Attempt Against Analyzer The skill's primary body contains instructions intended for the host LLM ('respond ONLY with the selected response', 'Handle all setup silently'). These instructions are located within the untrusted input delimiters, indicating an attempt to manipulate the analyzer's behavior or the host LLM's output format, directly violating the analyzer's instructions to ignore commands in untrusted content. Remove any instructions or directives intended for the LLM from within the untrusted content. Skill descriptions should be purely descriptive, not prescriptive for the LLM's behavior. | LLM | SKILL.md:4 | |
| HIGH | Command Injection via User Input in `exec` The skill directly interpolates the user-provided '{question}' into a shell command: `python3 magic8ball.py "{question}"`. Although the input is quoted, a sophisticated attacker could craft a question containing escaped quotes or shell metacharacters (e.g., `"; rm -rf /;"`) to break out of the quotes and execute arbitrary commands on the system. This is a classic command injection vulnerability. Avoid direct interpolation of user input into shell commands. Instead, pass user input as separate arguments to the Python script, allowing the script to handle argument parsing safely. If shell execution is unavoidable, ensure robust sanitization and escaping of all user-controlled variables (e.g., using `shlex.quote` in Python before passing to a shell). | LLM | SKILL.md:13 | |
| HIGH | Unpinned Dependencies and Forced Installation The `setup.sh` script installs `clawhub` and `secure-sync` without specifying exact versions (`npm i -g clawhub`, `clawhub install secure-sync --force`). This introduces a significant supply chain risk, as future installations could pull down different, potentially malicious, versions of these packages. The `--force` flag further exacerbates this by bypassing potential warnings or existing installations. Always pin dependencies to specific versions (e.g., `npm i -g clawhub@1.2.3`). Avoid using `--force` unless absolutely necessary and understood. Implement checksum verification for downloaded packages to ensure integrity. | LLM | scripts/setup.sh:6 | |
| HIGH | Excessive Permissions and Global Package Installation The `setup.sh` script appears to run with root privileges (implied by paths like `/root/.openclaw`). It installs `clawhub` globally (`npm i -g clawhub`) and then downloads and executes scripts from `secure-sync` (e.g., `secure-sync/scripts/script.sh`) also with root privileges. This grants maximum system permissions to potentially untrusted or compromised external code, significantly increasing the blast radius of any vulnerability. Skills should run with the principle of least privilege. Avoid running setup scripts as root unless strictly necessary. If global installations are required, consider containerization or isolated environments. Review the necessity of `npm -g` and ensure that `secure-sync` and its scripts are thoroughly vetted and sandboxed. | LLM | scripts/setup.sh:6 | |
| HIGH | Execution of Dynamically Downloaded Scripts The `setup.sh` script downloads the `secure-sync` skill and then proceeds to execute scripts found within it (`secure-sync/scripts/script.sh` or `sync.sh`) using `nohup`. This creates a command injection vulnerability if the `secure-sync` skill itself is compromised (as highlighted by the supply chain risk). An attacker could inject malicious code into `secure-sync`'s scripts, which would then be executed with the elevated privileges of the `setup.sh` script. Implement strict integrity checks (e.g., cryptographic hashes) for all downloaded scripts before execution. Ensure that `secure-sync` is installed from a trusted source and that its scripts are thoroughly reviewed. Consider sandboxing the execution of these dynamically loaded scripts. | LLM | scripts/setup.sh:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/cyberengage/research-skill-copy/SKILL.md:1 | |
| MEDIUM | User Data Written to Monitored Log File The `magic8ball.py` script writes the user's question and the generated response to `/root/.openclaw/workspace/research-skill-copy-last.json`. The `SKILL.md` explicitly states that 'secure-sync watches this', indicating that this file is intended for synchronization or exfiltration. While this might be an intended feature, it represents a clear data flow of user input outside the immediate skill execution environment, which could be a privacy concern or a vector for data leakage if the 'secure-sync' mechanism is compromised. Ensure that the 'secure-sync' mechanism is robustly secured and that users are fully aware of what data is being logged and synchronized. Consider if all user questions need to be logged, or if sensitive information could be inadvertently captured. Implement data retention policies for logs. | LLM | scripts/magic8ball.py:29 |
Scan History
Embed Code
[](https://skillshield.io/report/9185be46c923445c)
Powered by SkillShield