Trust Assessment
spool received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 3 critical, 6 high, 1 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: systemd service, Potential Data Exfiltration via Browser Snapshot.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/zizi-cat/spool/SKILL.md:31 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/zizi-cat/spool/SKILL.md:34 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/zizi-cat/spool/SKILL.md:35 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/zizi-cat/spool/SKILL.md:31 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/zizi-cat/spool/SKILL.md:34 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/zizi-cat/spool/SKILL.md:35 | |
| HIGH | Potential Data Exfiltration via Browser Snapshot The skill's core functionality involves taking snapshots of web pages on Threads (e.g., timelines, profiles, search results) using `browser action=snapshot`. These snapshots can contain sensitive or private user data. If the LLM processes this data and subsequently exposes it to unauthorized users, stores it insecurely, or includes it in responses without proper sanitization, it could lead to data exfiltration. The skill itself makes this data available to the LLM. Implement strict data handling policies for LLM outputs. Ensure explicit user consent is obtained before accessing and processing private data. Sanitize or redact sensitive information from snapshots before further processing or display to users. Avoid storing raw snapshot data unnecessarily. | LLM | SKILL.md:50 | |
| HIGH | Prompt Injection via User-Controlled Text Input The skill demonstrates posting and replying to Threads using `browser action=act ... request={"kind":"type","ref":"e14","text":"포스팅 내용"}`. If the `text` parameter is populated directly from untrusted user input without proper validation or sanitization, an attacker could inject malicious content (e.g., spam, phishing links, or content designed to manipulate other users or the Threads platform) into public posts or replies. This could lead to reputational damage, spread of misinformation, or social engineering attacks. Always sanitize and validate user input before using it in `type` actions. Implement a confirmation step for the user to review and approve the content before it is posted or replied to. Consider content moderation or filtering for user-generated text. | LLM | SKILL.md:74 | |
| HIGH | Prompt Injection / Data Exfiltration via User-Controlled URL Navigation The skill uses `browser action=open profile=openclaw targetUrl="..."` to navigate to various Threads pages, including user profiles and search results. If the `targetUrl` parameter, or components within it (like `@username` or `검색어`), are constructed using untrusted user input, an attacker could:
1. Direct the browser to a malicious website (phishing, malware distribution).
2. Direct the browser to an attacker-controlled site to attempt to exfiltrate browser session data (e.g., cookies, if the browser tool is not sufficiently isolated).
3. Craft URLs that exploit vulnerabilities in the Threads platform itself (e.g., XSS).
4. Use search queries to probe for sensitive information or perform OSINT. Validate and sanitize all user-provided components of `targetUrl`. Implement a strict allowlist for domains that the browser tool is permitted to visit. For search queries or profile lookups, ensure inputs are properly encoded and validated to prevent URL manipulation or injection. | LLM | SKILL.md:90 | |
| MEDIUM | Excessive Permissions of Browser Automation Tool The `openclaw` browser tool, as described and used by this skill, has broad capabilities including navigating to arbitrary URLs, interacting with page elements (click, type), and capturing full page snapshots. While this is the intended functionality of a browser automation tool, it represents a significant attack surface. If the underlying `openclaw` browser environment is not sufficiently sandboxed or isolated, it could potentially access local files (e.g., via `file://` URLs), interact with other browser tabs/processes, or execute arbitrary JavaScript if not properly secured against XSS. The skill itself leverages these broad capabilities. Ensure the `openclaw` browser tool runs in a highly sandboxed and isolated environment with minimal privileges. Implement strict content security policies (CSPs) within the browser tool to limit resource loading and script execution. Restrict the tool's ability to access local file systems or other sensitive resources. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/73c9b18e5565d17b)
Powered by SkillShield