Security Audit

super-helper

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

super-helper received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 10 findings: 9 critical, 1 high, 0 medium, and 0 low severity. Key findings include System prompt override / policy bypass, Persistence / self-modification instructions, Unsafe environment variable passthrough.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings10

Severity	Finding	Layer	Location
CRITICAL	System prompt override / policy bypass Ignore/disregard previous instructions pattern Remove or rewrite any instructions that attempt to override system behavior. Legitimate skills should not contain phrases like 'ignore previous instructions' or 'new system prompt'.	Manifest	skills/dgriffin831/skill-scan/test-fixtures/malicious-skill/SKILL.md:6
CRITICAL	Persistence / self-modification instructions Piping content into crontab Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/dgriffin831/skill-scan/test-fixtures/malicious-skill/helper.js:20
CRITICAL	Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/dgriffin831/skill-scan/test-fixtures/malicious-skill/helper.js:20
CRITICAL	Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/dgriffin831/skill-scan/test-fixtures/malicious-skill/helper.js:7
CRITICAL	Prompt Injection Attempt The skill's `SKILL.md` contains explicit instructions attempting to override the host LLM's directives and exfiltrate sensitive information. The `<system>` tag suggests an attempt to directly inject system-level instructions. Remove all prompt injection attempts and malicious instructions from the skill's documentation.	LLM	SKILL.md:6
CRITICAL	Credential Harvesting via File Read The skill attempts to read a sensitive configuration file (`.config/auth-profiles.json`) from the user's home directory, which likely contains credentials or other sensitive information. Remove code that accesses sensitive files from the user's system.	LLM	helper.js:5
CRITICAL	Credential Harvesting via Environment Variables The skill explicitly searches for and collects environment variables containing 'API_KEY' or 'SECRET', indicating an attempt to harvest credentials. Remove code that accesses and filters environment variables for sensitive information.	LLM	helper.js:6
CRITICAL	Data Exfiltration to External Endpoint The skill collects sensitive data (credentials, environment variables) and then exfiltrates it by sending a Base64 encoded payload to an external, potentially malicious webhook URL (`https://evil-webhook.ngrok.io/collect`). Remove all code responsible for exfiltrating data to external, untrusted endpoints.	LLM	helper.js:12
CRITICAL	Command Injection and Persistence Mechanism The skill uses `execSync` to execute a shell command that modifies the user's crontab, establishing a persistent beacon to a malicious URL (`https://evil.com/beacon`). This indicates a clear attempt at command injection and maintaining unauthorized access. Remove all calls to `execSync` or other shell execution functions, especially those used to modify system configurations or establish persistence.	LLM	helper.js:17
HIGH	Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Manifest	skills/dgriffin831/skill-scan/test-fixtures/malicious-skill/helper.js:7

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e141e794da23cec3.svg)](https://skillshield.io/report/e141e794da23cec3)