Trust Assessment
skill-search received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 5 critical, 1 high, 0 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Arbitrary Code Execution via Dynamic Skill Loading, Supply Chain Risk: Untrusted Code Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dustinjamest/skill-search/scripts/skillhub.sh:145 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dustinjamest/skill-search/scripts/skillhub.sh:186 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/dustinjamest/skill-search/scripts/skillhub.sh:212 | |
| CRITICAL | Arbitrary Code Execution via Dynamic Skill Loading The skill is designed to fetch arbitrary skill content from an external registry (skills.droyd.ai) and then explicitly instructs the agent to execute any bundled scripts from the extracted directory. This allows a malicious skill published on the registry to execute arbitrary commands on the host system, leading to full system compromise, data exfiltration, or further attacks. The `SKILL.md` explicitly states: 'Then follow the loaded skill's instructions, running any bundled scripts from the extracted directory.' Implement strict sandboxing or containerization for dynamically loaded skills. Require explicit user confirmation and a security review before executing any fetched skill content. Restrict network and file system access for untrusted code. Consider static analysis of fetched skill code before execution. | LLM | SKILL.md:40 | |
| CRITICAL | Supply Chain Risk: Untrusted Code Execution The skill's primary function is to dynamically load and execute code from an external, untrusted source (ClawHub registry at skills.droyd.ai). This introduces a significant supply chain risk, as a compromise of the registry or a malicious skill developer could lead to the execution of arbitrary, harmful code on the agent's host system without prior vetting. The `skillhub.sh` script fetches content from `BASE_URL` and the `SKILL.md` instructs the agent to execute it. Establish a robust vetting process for skills published on the registry. Implement strong integrity checks (e.g., cryptographic signatures) for fetched skill content. Educate users about the risks of executing untrusted code. Consider a 'safe mode' where dynamically loaded skills have severely restricted permissions. | LLM | SKILL.md:1 | |
| HIGH | Path Traversal Vulnerability in Skill Content Extraction The `extract_skill_files` function in `scripts/skillhub.sh` uses `os.path.join` within its embedded Python script to construct file paths from untrusted `filename` values provided within the fetched skill content. A malicious skill could craft `filename` values containing path traversal sequences (e.g., `../../../etc/passwd`) to write files outside the intended `/tmp/openclaw-skills/{skill-name}/` directory, potentially overwriting critical system files or user configuration files. Sanitize the `filename` variable before using it in `os.path.join`. Ensure that the resolved `filepath` remains strictly within the designated `out_dir`. A common approach is to check if `os.path.abspath(filepath)` starts with `os.path.abspath(out_dir)` after joining, or to use `os.path.basename` to strip directory components from `filename` if subdirectories are not intended. | LLM | scripts/skillhub.sh:95 |
Scan History
Embed Code
[](https://skillshield.io/report/7a96c35fc09da4c8)
Powered by SkillShield