Security Audit

skill-auditor

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

skill-auditor received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 25 findings: 16 critical, 0 high, 8 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Malicious install hooks, Arbitrary command execution.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

4 findings

Shell Execution

20 findings

Dynamic Code

10 findings

Security Findings25

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:294
CRITICAL	Malicious install hooks Python setup.py with suspicious imports Review all lifecycle scripts carefully. Remove install hooks that make network requests, execute shell commands, or access environment variables. Use --ignore-scripts for npm installs when possible.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:270
CRITICAL	Malicious install hooks Python setup.py with suspicious imports Review all lifecycle scripts carefully. Remove install hooks that make network requests, execute shell commands, or access environment variables. Use --ignore-scripts for npm installs when possible.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:299
CRITICAL	Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/scan-url.js:21
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/analyzers/ast-python.js:7
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/audit-installed.js:9
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:7
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:329
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/analyzers/ast-python.js:17
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/analyzers/ast-python.js:282
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/audit-installed.js:89
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:69
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:81
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:97
CRITICAL	Command injection in generated shell script The `scripts/setup.js` file generates `post-skill-install.cmd` (Windows) and `post-skill-install.sh` (Linux/macOS) hook scripts. These generated scripts interpolate the `config.autoScanSeverityThreshold` variable directly into a command string without proper quoting. If an attacker can modify the `~/.openclaw/skill-auditor.json` configuration file, they could inject arbitrary shell commands into `autoScanSeverityThreshold` (e.g., `critical; rm -rf /` or `critical & calc.exe`) which would then be executed when the hook script runs. Ensure that `config.autoScanSeverityThreshold` is properly quoted when interpolated into the generated shell scripts. For example, use `"${config.autoScanSeverityThreshold}"` in both Windows and Linux scripts, and sanitize the input to prevent quote escaping.	LLM	scripts/setup.js:137
CRITICAL	LLM prompt injection via skill metadata/findings The `scripts/analyzers/llm-semantic.js` component constructs a prompt for an external LLM using data derived from the skill being scanned, specifically `skillMeta.name`, `skillMeta.description`, `f.explanation`, and `f.file`. If a malicious skill provides specially crafted text in its `SKILL.md` (name, description) or if a finding's explanation contains adversarial instructions, these could manipulate the LLM's behavior, leading to prompt injection. This could cause the LLM to misclassify findings, reveal sensitive information, or generate harmful content. Implement robust sanitization and escaping of all untrusted inputs (skill metadata, finding explanations, file paths) before they are incorporated into the LLM prompt. Consider using a structured input format (e.g., JSON) for LLM communication where possible, or employ LLM-specific prompt injection defenses like input validation, instruction tuning, or separate 'red-teaming' LLMs.	LLM	scripts/analyzers/llm-semantic.js:100
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/analyzers/ast-python.js:276
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/analyzers/static.js:481
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/scan-skill.js:16
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/scan-skill.js:518
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/scan-skill.js:529
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/scan-url.js:76
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/rubenaquispe/skill-auditor/scripts/setup.js:85
MEDIUM	Unpinned npm dependency version Dependency 'node-fetch' is not pinned to an exact version ('^3.3.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/rubenaquispe/skill-auditor/package.json
INFO	Unpinned optional dependencies The `package.json` file uses caret (`^`) ranges for optional dependencies (`node-fetch`, `tree-sitter`, `tree-sitter-python`, `yara`, `yara-js`). While `package-lock.json` provides exact versions, relying on `^` in `package.json` allows for automatic updates to new minor or patch versions. For a security tool, stricter pinning (e.g., exact versions or `~` for patch-only updates) is recommended to prevent unexpected changes or potential supply chain risks if a malicious update is published. Pin optional dependencies to exact versions (e.g., `3.3.2` instead of `^3.3.2`) or use tilde (`~`) for patch-only updates to ensure only patch-level changes are allowed.	LLM	package.json:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5f7b8626e548d38b.svg)](https://skillshield.io/report/5f7b8626e548d38b)