Trust Assessment
security-audit received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 3 high, 0 medium, and 0 low severity. Key findings include Use of execSync for shell command execution, Hardcoded paths to /root and broad file system traversal, Capability to scan and report sensitive credentials from privileged directories.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Capability to scan and report sensitive credentials from privileged directories The `checkCredentials` function is explicitly designed to scan files, including those located in `/root/clawd` and `.env` files, for highly sensitive information such as API keys, secret tokens, hardcoded passwords, and private keys. While this is the intended function of a security audit, the capability to identify and report such critical credentials from a privileged directory like `/root` poses a severe risk. If the host LLM is compromised or manipulated (e.g., via prompt injection), it could be instructed to extract and transmit these identified credentials, leading to a critical data breach. This represents both a credential harvesting and data exfiltration risk. Implement robust sandboxing and strict output filtering for any skill that handles sensitive data. Ensure that the host LLM cannot be prompted to extract or transmit identified credentials. Consider redacting sensitive findings by default and requiring explicit, authenticated approval for full disclosure. Restrict the skill's access to only the necessary files/directories, avoiding `/root` if possible. | LLM | scripts/audit.cjs:80 | |
| HIGH | Use of execSync for shell command execution The script utilizes `child_process.execSync` to execute shell commands (`ss`, `netstat`). While the specific commands shown are hardcoded, the presence of `execSync` is a powerful primitive that enables arbitrary shell command execution. If the skill's code were to be modified by a compromised LLM or if future development introduced dynamic command construction based on untrusted input, this could lead to critical command injection vulnerabilities. The capability to execute shell commands also represents an excessive permission. Avoid `execSync` where possible. If external commands are strictly necessary, use `child_process.spawn` or `child_process.execFile` with a fixed command and arguments, ensuring no user-controlled input is directly interpolated into the command string. Implement strict input validation and sanitization if any part of the command must be dynamic. | LLM | scripts/audit.cjs:9 | |
| HIGH | Hardcoded paths to /root and broad file system traversal The skill defines and operates within highly privileged directories such as `/root/clawd` and `/root/clawd/skills/.env`. The `getFilesRecursively` function is used to traverse and read all files within `CLAWDBOT_DIR` (`/root/clawd`). This grants the skill excessively broad read access to a sensitive system directory, including potentially private user data, configuration files, and other system files. This broad access significantly increases the attack surface; if the skill is compromised, this access could be leveraged for unauthorized data exfiltration or further system compromise. Restrict the skill's operational scope to the absolute minimum necessary directories. Avoid hardcoding paths to `/root` and prefer relative paths or environment variables for configurable directories. Implement strict access controls and ensure the skill runs with the least privilege required. | LLM | scripts/audit.cjs:13 | |
| HIGH | Skill possesses file modification capabilities The skill includes an "auto-fix" mode, as described in `SKILL.md`, which performs actions like setting restrictive file permissions, securing configuration files, and creating/modifying `.gitignore`. This functionality implies the use of file system write operations (`fs.chmodSync`, `fs.writeFileSync`, `fs.appendFileSync`). While intended for remediation, this capability grants the skill significant power to alter the file system. If the skill or the host LLM is compromised, an attacker could leverage this to modify or delete critical system files, introduce malicious configurations, or disable security measures. Carefully review and restrict the scope of file modification operations. Ensure that only specific, well-defined files can be altered, and that changes are idempotent and reversible. Implement strong authorization checks before executing auto-fix actions. Consider requiring explicit user confirmation for any destructive or modifying actions. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/39fc203e8d32031e)
Powered by SkillShield