Security Audit

skill-from-memory

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

skill-from-memory received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 11 findings: 6 critical, 2 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $GITHUB_REPO, Unsanitized user input in shell command execution, Sensitive data written to user-controlled path.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

5 findings

Shell Execution

9 findings

Dynamic Code

5 findings

Excessive Permissions

4 findings

Security Findings11

Severity	Finding	Layer	Location
CRITICAL	Unsanitized user input in shell command execution Multiple scripts directly use user-controlled variables in shell commands without proper sanitization or robust quoting, leading to potential command injection. An attacker could inject arbitrary shell commands by crafting malicious input for arguments like `--source`, `--skill-name`, `--github`, `--clawhub-slug`, `--description`, `--memory-file`, or `--output-dir`. Sanitize all user-controlled variables before using them in shell commands. For arguments, use `printf %q` to properly quote values. For paths, validate and sanitize to prevent path traversal (e.g., disallow `../` or absolute paths). Example: `command $(printf %q "$USER_INPUT")`	LLM	scripts/create-and-publish.sh:90
CRITICAL	Unsanitized user input in shell command execution The `$SKILL_NAME` variable, derived from user input, is used directly in a subshell command `$(echo "$SKILL_NAME" \| ...)` within a heredoc. If `$SKILL_NAME` contains backticks or `$()`, it could lead to arbitrary command execution. Avoid using `echo` with untrusted input that is then piped to other commands. Use `printf %s` instead of `echo` for arbitrary strings, or sanitize `$SKILL_NAME` to remove shell metacharacters before processing.	LLM	scripts/create-skill.sh:56
CRITICAL	Unsanitized user input in shell command execution The `$GITHUB_REPO` and `$CLAWHUB_SLUG` variables are concatenated into `PUBLISH_OPTS` without proper quoting around the individual values. When `PUBLISH_OPTS` is later expanded unquoted, any shell metacharacters in these user-controlled variables will be executed, leading to command injection. Ensure all user-controlled variables are properly quoted when concatenated or expanded. For `PUBLISH_OPTS`, each argument should be added as a separate, quoted element to an array, then expanded with `"${ARRAY[@]}"`.	LLM	scripts/create-and-publish.sh:112
CRITICAL	Unsanitized user input in shell command execution The `$SKILL_PATH` variable, derived from user input, is used directly in a `cd` command. An attacker could use path traversal sequences (e.g., `../`) to change the current directory to an arbitrary location, potentially affecting subsequent file operations or script execution context. Sanitize `$SKILL_PATH` to prevent path traversal. Ensure it refers to a valid, expected directory within the skill's scope. Consider using `readlink -f` to canonicalize the path and then validate it.	LLM	scripts/publish.sh:66
CRITICAL	Unsanitized user input in shell command execution The `$GITHUB_REPO` variable, derived from user input, is used directly in the `git remote add origin` command. If `$GITHUB_REPO` contains shell metacharacters, it could lead to command injection. Sanitize `$GITHUB_REPO` to ensure it only contains valid GitHub repository owner/name format. Use `printf %q` to properly quote the variable if it must contain special characters, or validate it against a strict regex.	LLM	scripts/publish.sh:71
CRITICAL	Unsanitized user input in shell command execution The `$CLAWHUB_SLUG` and `$SKILL_NAME` variables, derived from user input, are passed as arguments to `clawhub publish`. While quoted, if the values themselves contain single quotes, they could break out of the quoting and lead to command injection. Sanitize `$CLAWHUB_SLUG` and `$SKILL_NAME` to remove or escape any characters that could break shell quoting. A more robust solution would be to use `printf %q` for each argument.	LLM	scripts/publish.sh:98
HIGH	Sensitive data written to user-controlled path The `extract-from-history.sh` and `extract-from-memory.sh` scripts read potentially sensitive user data (conversation history, memory files) and write extracted content to a user-specified output directory (`$OUTPUT_DIR`). If an attacker controls `$OUTPUT_DIR`, they could direct this sensitive data to a publicly accessible location, overwrite critical files, or exfiltrate it. Validate and sanitize `$OUTPUT_DIR` to ensure it points to a secure, non-public, and non-critical location. Implement strict access controls on the output directory. Consider encrypting sensitive output if it must be stored.	LLM	scripts/extract-from-history.sh:60
HIGH	Sensitive data written to user-controlled path The `extract-from-memory.sh` script copies the user-specified `MEMORY_FILE` and writes extracted content to a user-specified output directory (`$OUTPUT_DIR`). If an attacker controls `$OUTPUT_DIR`, they could direct this sensitive data to a publicly accessible location, overwrite critical files, or exfiltrate it. Validate and sanitize `$OUTPUT_DIR` to ensure it points to a secure, non-public, and non-critical location. Implement strict access controls on the output directory. Consider encrypting sensitive output if it must be stored.	LLM	scripts/extract-from-memory.sh:33
MEDIUM	Sensitive environment variable access: $GITHUB_REPO Access to sensitive environment variable '$GITHUB_REPO' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/zfanmy/skill-from-memory/scripts/create-and-publish.sh:146
MEDIUM	Sensitive environment variable access: $GITHUB_REPO Access to sensitive environment variable '$GITHUB_REPO' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/zfanmy/skill-from-memory/scripts/publish.sh:70
MEDIUM	User-controlled input embedded in generated markdown for LLM processing The `create-skill.sh` script embeds user-controlled variables (`$SKILL_NAME`, `$DESCRIPTION`) directly into the generated `SKILL.md` and `README.md` files. If these markdown files are later processed by an LLM, an attacker could inject malicious instructions or manipulate the LLM's behavior by crafting specific content for these variables. Sanitize user-controlled input before embedding it into generated files that might be processed by an LLM. This includes escaping markdown formatting, removing potential instruction keywords, or using a templating engine that automatically handles such sanitization.	LLM	scripts/create-skill.sh:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a8629fca8c125019.svg)](https://skillshield.io/report/a8629fca8c125019)