Trust Assessment
skill-search received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 4 critical, 0 high, 0 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Arbitrary File Write and Remote Code Execution via Path Traversal.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dustinjamest/dynamic-skills/scripts/skillhub.sh:145 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dustinjamest/dynamic-skills/scripts/skillhub.sh:186 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dustinjamest/dynamic-skills/scripts/skillhub.sh:212 | |
| CRITICAL | Arbitrary File Write and Remote Code Execution via Path Traversal The `scripts/skillhub.sh` script allows fetching skill content from a remote server (`skills.droyd.ai`) and extracting it to the local filesystem. The `extract_skill_files` function, specifically the Python script it executes, constructs file paths using both the user-controlled `skill_name` (e.g., `author/skill-name` from the command line argument) and `filename`s extracted from the untrusted remote content. Both of these inputs are vulnerable to path traversal attacks (e.g., `../`).
An attacker can craft a malicious skill name (e.g., `author/../../.ssh`) or embed path traversal sequences in the `filename` within the skill content (e.g., `=== ../../../evil.sh ===`). This allows them to write arbitrary files to arbitrary locations on the filesystem, outside the intended `/tmp/openclaw-skills/{skill-name}/` directory. For example, a skill named `author/../../.ssh` combined with content specifying `=== authorized_keys ===` could lead to writing an attacker's SSH key to `/tmp/.ssh/authorized_keys`.
The `SKILL.md` explicitly states that the agent can then 'read and execute these files directly,' which means this arbitrary file write directly leads to remote code execution (RCE) with the privileges of the agent. Implement strict sanitization for both the `skill_name` (used to construct `out_dir`) and the `filename`s extracted from the skill content. Ensure these inputs do not contain path traversal sequences (`../`), absolute paths (`/`), or other characters that could lead to writing files outside the designated skill directory. For `skill_name`, validate it against a whitelist of allowed characters (e.g., alphanumeric, hyphens, underscores, forward slashes only for `author/skill-name` structure, but disallowing `..`). For `filename`, ensure it is a simple filename without directory separators. Additionally, consider sandboxing the execution environment for extracted skills to limit the impact of any successful file writes or code execution. | LLM | scripts/skillhub.sh:97 |
Scan History
Embed Code
[](https://skillshield.io/report/3696f7bd9b941b8e)
Powered by SkillShield