Trust Assessment
skill-scanner-guard received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 18 findings: 5 critical, 6 high, 7 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: systemd service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings18
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:65 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:66 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:69 | |
| CRITICAL | Path Traversal via --name argument in scan_and_add_skill.sh The `scan_and_add_skill.sh` script allows a user to specify the destination directory name using the `--name` argument. This argument (`DEST_NAME`) is directly concatenated with `$DEST_BASE` (`$HOME/.openclaw/skills`) to form `$DEST_DIR` without proper sanitization. If an attacker provides a path traversal sequence (e.g., `../../.ssh`) as the `--name` argument, the skill directory (`$SRC_DIR`) can be copied to an arbitrary location on the filesystem, potentially overwriting sensitive files or exfiltrating data if the skill contains it. This grants excessive write permissions outside the intended skill directory. Sanitize the `DEST_NAME` variable to ensure it does not contain path separators (e.g., `/`, `..`). Only allow alphanumeric characters, hyphens, and underscores. A robust solution would be to use `basename` on the user-provided `--name` value, or explicitly validate against path components. | LLM | scripts/scan_and_add_skill.sh:100 | |
| CRITICAL | Path Traversal via <slug> argument in clawhub_scan_install.sh The `clawhub_scan_install.sh` script takes a user-controlled `<slug>` argument, which is then passed directly as the `--name` argument to `scan_and_add_skill.sh`. As `scan_and_add_skill.sh` is vulnerable to path traversal via its `--name` argument, this means an attacker can provide a malicious `<slug>` (e.g., `my_skill/../../.ssh`) to `clawhub_scan_install.sh`. This will cause the downloaded skill to be installed into an arbitrary location on the filesystem, granting excessive write permissions outside the intended skill directory. Sanitize the `SLUG` variable to ensure it does not contain path separators (e.g., `/`, `..`) before passing it to `scan_and_add_skill.sh`. Alternatively, ensure the underlying vulnerability in `scan_and_add_skill.sh` is fixed by sanitizing `DEST_NAME`. | LLM | scripts/clawhub_scan_install.sh:90 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:65 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:66 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:69 | |
| HIGH | Command Injection via user-controlled $SRC_DIR in uv run The `scan_and_add_skill.sh` script executes `uv run skill-scanner scan "$SRC_DIR" ...`. The `$SRC_DIR` variable is user-controlled input. If `$SRC_DIR` contains shell metacharacters, specifically command substitutions like `$(evil_command)` or backticks, the shell will execute these commands before `uv run` is invoked. This allows an attacker to inject and execute arbitrary shell commands. Validate `$SRC_DIR` to ensure it is a legitimate directory path and does not contain any shell metacharacters. Use `realpath` to canonicalize the path and ensure it's within expected boundaries. Consider using `printf %q` to properly quote the argument if it must contain special characters, or pass arguments as an array to `exec` if possible, to avoid shell interpretation. | LLM | scripts/scan_and_add_skill.sh:68 | |
| HIGH | Command Injection via user-controlled $SLUG in npx clawhub The `clawhub_scan_install.sh` script executes `npx -y clawhub install "$SLUG"`. The `$SLUG` variable is user-controlled input. If `$SLUG` contains shell metacharacters, specifically command substitutions like `$(evil_command)` or backticks, the shell will execute these commands before `npx` is invoked. This allows an attacker to inject and execute arbitrary shell commands. Validate `$SLUG` to ensure it contains only safe characters (e.g., alphanumeric, hyphens, underscores) and does not contain any shell metacharacters. Consider using `printf %q` to properly quote the argument if it must contain special characters, or use a programmatic API for `clawhub` if available, instead of shelling out. | LLM | scripts/clawhub_scan_install.sh:75 | |
| HIGH | Unpinned dependencies for skill-scanner and clawhub The skill relies on external tools `cisco-ai-defense/skill-scanner` and `clawhub` without pinning specific versions. `SKILL.md` instructs users to `git clone` the `skill-scanner` repository (fetching the latest `main` branch) and then `uv sync --all-extras` (installing latest dependencies). `clawhub_scan_install.sh` uses `npx -y clawhub` (fetching and executing the latest `clawhub` from npm). This lack of version pinning makes the skill vulnerable to supply chain attacks if any of these upstream projects or their dependencies are compromised, as a malicious update could be pulled and executed without warning. For `skill-scanner`: Pin the `git clone` to a specific commit hash or tag. Use `uv pip compile` to generate a `requirements.txt` with locked versions, and then `uv pip sync -r requirements.txt`. For `clawhub`: Specify a version when using `npx`, e.g., `npx clawhub@1.2.3`. If `clawhub` is a project dependency, manage its version through `package.json` and `npm ci`. | LLM | SKILL.md:20 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/SKILL.md:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/scripts/auto_scan_user_skills.sh:7 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/scripts/auto_scan_user_skills.sh:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/scripts/clawhub_scan_install.sh:66 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/scripts/scan_and_add_skill.sh:63 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/scripts/scan_openclaw_skills.sh:4 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jason-allen-oneal/skill-scanner-guard/scripts/scan_openclaw_skills.sh:37 |
Scan History
Embed Code
[](https://skillshield.io/report/e258830afb2e421f)
Powered by SkillShield