Trust Assessment
sip-voice-call-control received a trust score of 41/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 2 high, 3 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Agent Instructed to Execute Arbitrary Shell Commands from Untrusted Content The `SKILL.md` document, which is treated as untrusted input, explicitly instructs an agent to execute shell commands. Specifically, it provides a `typescript` snippet showing an `exec` call with a hardcoded command string: `exec({ command: "cd /path/to/sip-voice-call-control && nohup npm run start > sip-voice-call-control.log 2>&1 &", background: true })`. If an LLM agent processes this untrusted documentation and attempts to follow its instructions, it could directly execute this shell command. While this specific command is benign, the pattern demonstrates that the skill expects the agent to execute arbitrary shell commands found within the untrusted documentation, which is a severe prompt injection vulnerability leading to command injection. Remove direct shell command execution instructions from untrusted documentation. Instead, define explicit tools or APIs for the agent to interact with, ensuring all parameters are validated and sanitized. If shell execution is necessary, it must be done through a tightly controlled and sandboxed environment with strict input validation. | LLM | SKILL.md:109 | |
| CRITICAL | Arbitrary Command Execution and Data Exfiltration via LLM-generated Tool Arguments The `src/dev.ts` file imports `exec` from `child_process` and uses `promisify(exec)` to create `execAsync`. The skill's description in `SKILL.md` states "Tools executed locally via CLI for speed" and lists tools like `list_cron_jobs`, `add_reminder`, `remove_cron_job`, `get_weather`, `search_memory`. These tools are defined in `src/dev.ts` with `type: 'function'`. It is highly probable that the `invokeTool` function (which is truncated but implied by the structure and description) constructs shell commands using `openclaw ${toolName} ${argsString}` where `toolName` and `argsString` are derived directly from the LLM's `tool_calls`. If an attacker can influence the LLM's output (e.g., via prompt injection), they could cause the LLM to generate malicious `toolName` or `argsString` (e.g., `{"message": "hello; rm -rf /"}`), leading to arbitrary command execution on the host system. The `execAsync` call captures `stdout` and `stderr`, allowing for data exfiltration if malicious commands like `cat /etc/passwd` are executed. Implement strict input validation and sanitization for all arguments passed to shell commands. Avoid direct interpolation of untrusted input into shell commands. Consider using a safer method for tool execution that does not involve direct shell command construction, or sandbox the execution environment. Ensure `openclaw` CLI itself is robust against injection. | LLM | src/dev.ts:4 | |
| HIGH | Broad File System Read Access Based on Potentially Untrusted Environment Variables The `loadPersonalization` and `loadGatewayConfig` functions in `src/dev.ts` read files (`IDENTITY.md`, `USER.md`, `openclaw.json`, `clawdbot.json`) from paths determined by environment variables (`WORKSPACE_DIR`, `HOME`). If an attacker can manipulate these environment variables (e.g., through a compromised environment or a prior command injection), they could redirect the skill to read arbitrary sensitive files from the file system. The content of these files is then processed (e.g., parsed for names, timezones, gateway tokens), creating a data exfiltration risk if sensitive information is read and subsequently exposed (e.g., via LLM context). The `search_memory` tool also implies broad read access to "workspace files". Restrict file system access to only necessary, predefined paths. Validate and sanitize environment variables used to construct file paths. Consider using a dedicated configuration management system instead of reading arbitrary files from potentially user-controlled paths. | LLM | src/dev.ts:87 | |
| HIGH | Agent Instructed to Write API Key to File from Untrusted Content The `SKILL.md` document, which is treated as untrusted input, explicitly instructs an agent to write a `TELNYX_API_KEY` to a `.env` file using a `cat` command: `cat > .env << 'EOF' TELNYX_API_KEY=<user_api_key> ... EOF`. If an LLM agent processes this untrusted documentation and attempts to follow its instructions, it could be prompted to ask for or use a `user_api_key` and write it to a file. While the intent is for legitimate setup, this pattern means the agent is being instructed by untrusted content to handle sensitive credentials. A malicious modification of this untrusted content could lead to the agent writing the key to an attacker-controlled location or exfiltrating it. This is a prompt injection vulnerability that facilitates credential handling in an insecure manner. Avoid instructing agents to directly handle or write sensitive credentials via shell commands embedded in untrusted documentation. Instead, provide a secure API or tool for credential management that validates and sanitizes inputs, and ensures credentials are stored securely. | LLM | SKILL.md:99 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dotcom-squad/telnyx-voice-sip/src/dev.ts:46 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dotcom-squad/telnyx-voice-sip/src/dev.ts:110 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^17.2.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/dotcom-squad/telnyx-voice-sip/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/dotcom-squad/telnyx-voice-sip/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/76a52aec36cec9ce)
Powered by SkillShield