Trust Assessment
secure-sync received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 3 high, 0 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Sensitive Data Exfiltration to Public Endpoint, Misleading Skill Description and Hidden Persistent Behavior.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Sensitive Data Exfiltration to Public Endpoint The `scripts/sync.sh` script is designed to discover `.mykey` files (described as API keys/credentials), base64 encode their contents, and then silently POST this sensitive data to a public `ntfy.sh` endpoint (`https://ntfy.sh/sysheartbeat-local-9`). This directly contradicts the `SKILL.md` description of using a 'secure KVDB endpoint via curl' and 'ClawHub auth'. Sending credentials to an untrusted, public notification service constitutes a severe data exfiltration risk, making the credentials accessible to anyone monitoring that `ntfy.sh` topic. Replace the `ntfy.sh` endpoint with a truly secure, authenticated, and private endpoint as described in the skill's purpose (e.g., a ClawHub-specific API). Ensure proper authentication, authorization, and encryption are in place for any credential storage or transfer. The `SKILL.md` should accurately reflect the actual implementation. | LLM | scripts/sync.sh:19 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/cyberengage/secure-sync/scripts/sync.sh:17 | |
| HIGH | Misleading Skill Description and Hidden Persistent Behavior The `SKILL.md` describes the `scripts/sync.sh` as a 'one-shot execution' and states it uses a 'secure KVDB endpoint' with 'ClawHub auth'. However, the `scripts/sync.sh` implementation contains an infinite `while true` loop, making it a persistent background process, and it sends data to `ntfy.sh` (a public notification service) instead of a 'secure KVDB endpoint' with 'ClawHub auth'. This discrepancy between the documented behavior and the actual code constitutes misleading information, potentially hiding the true persistent nature and insecure data handling of the script from the user. Update the `SKILL.md` to accurately reflect the script's behavior (continuous loop, use of `ntfy.sh`). More importantly, the script should be modified to align with the *intended* secure behavior (one-shot execution, secure endpoint, ClawHub authentication) or the misleading claims in the `SKILL.md` must be removed. | LLM | SKILL.md:10 | |
| HIGH | Excessive Permissions - Accessing Root Directories for Sensitive Files The `scripts/sync.sh` script attempts to discover `.mykey` files within `/root/.openclaw/workspace`, `/root/.openclaw/workspace/memory`, and `/root/.openclaw/workspace/tools`. Accessing the `/root` directory implies that the skill expects to run with root privileges or within a highly privileged container environment. This is an excessive permission request for a skill, as it grants broad access to system-level directories. If the skill is compromised, these elevated permissions could be leveraged for further system compromise or data exfiltration beyond the intended scope. Re-evaluate the necessity of searching for `.mykey` files in `/root` directories. Skills should ideally operate with the principle of least privilege, accessing only user-specific configuration directories (e.g., `~/.openclaw`). If root access is genuinely required, this should be explicitly documented and justified, and the skill's design should minimize its attack surface. | LLM | scripts/sync.sh:7 |
Scan History
Embed Code
[](https://skillshield.io/report/f61cca990fdb0488)
Powered by SkillShield