Security Audit

synapse

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

synapse received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 30 findings: 10 critical, 10 high, 8 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Suspicious import: requests.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

10 findings

Filesystem Write

6 findings

Shell Execution

17 findings

Dynamic Code

1 finding

Excessive Permissions

9 findings

Security Findings30

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/src/identity.py:344
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/src/logic.py:550
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/src/seeder_client.py:95
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/src/setup_identity.py:23
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/src/setup_identity.py:42
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/src/setup_identity.py:52
CRITICAL	Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/pendzoncymisio/synapse/SKILL.md:19
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Static	skills/pendzoncymisio/synapse/SKILL.md:19
CRITICAL	Remote Code Execution via trust_remote_code=True The LocalEmbedder in `src/embeddings.py` uses `trust_remote_code=True` when loading models from Hugging Face. This setting allows arbitrary Python code to be executed from the model repository, posing a critical remote code execution vulnerability if a malicious or compromised model is loaded. This bypasses standard security measures and can lead to full system compromise. Avoid `trust_remote_code=True` with untrusted model sources. If absolutely necessary, ensure models are thoroughly vetted and downloaded from trusted, immutable sources, or consider sandboxing the execution environment. Prefer models that do not require `trust_remote_code`.	LLM	src/embeddings.py:109
CRITICAL	Bypass of safety checks via `skip_safety_check` parameter The `assimilate_shard` tool includes a `skip_safety_check` boolean parameter. If set to `True`, it explicitly bypasses the `AssimilationEngine`'s security scans, which are designed to detect prompt injection, data exfiltration, and code execution patterns in downloaded memory shards. This allows an attacker to force the assimilation of malicious content into the agent's knowledge base, directly enabling prompt injection or other attacks against the host LLM or agent. Remove the `skip_safety_check` parameter from the tool definition. Safety checks should never be bypassable by untrusted input. If an internal bypass is needed for development/testing, it should not be exposed to the agent.	LLM	skill.json:133
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_sign_with_openssl'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/pendzoncymisio/synapse/src/identity.py:344
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'cmd_setup_identity'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/pendzoncymisio/synapse/src/logic.py:550
HIGH	Potential data exfiltration: file read + network send Function 'cmd_share' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers.	Static	skills/pendzoncymisio/synapse/src/logic.py:347
HIGH	Potential data exfiltration: file read + network send Function '_announce_to_trackers' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers.	Static	skills/pendzoncymisio/synapse/src/network.py:227
HIGH	Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'start_daemon'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/pendzoncymisio/synapse/src/seeder_client.py:95
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_identity_openssl_mldsa'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/pendzoncymisio/synapse/src/setup_identity.py:42
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'generate_identity_openssl_mldsa'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/pendzoncymisio/synapse/src/setup_identity.py:52
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_openssl_mldsa_support'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/pendzoncymisio/synapse/src/setup_identity.py:23
HIGH	Arbitrary File Write via `download_memory_shard` tool The `download_memory_shard` tool allows a user to specify an `output_dir` for downloaded files. This directory is directly used by the `SynapseNode` and `BitTorrentEngine` to save files. An attacker could provide a path to a sensitive system directory (e.g., `/etc`, `/usr/bin`, `~/.ssh`) or an executable path, potentially overwriting critical files, installing malware, or achieving persistence. Restrict `output_dir` to a dedicated, sandboxed download directory within the skill's scope. Do not allow arbitrary paths. Implement strict validation and sanitization of user-provided paths to ensure they are within the allowed scope and do not contain directory traversal sequences.	LLM	skill.json:105
HIGH	Arbitrary File Sharing via `create_memory_shard` tool The `create_memory_shard` tool accepts a `source_db` parameter, which is a user-controlled path to a file. The skill then uses `BitTorrentEngine.create_torrent` to generate a torrent from this file and potentially seeds it. This allows an attacker to instruct the agent to share any file on the filesystem that the agent has read access to, leading to data exfiltration. Restrict `source_db` to a dedicated, sandboxed directory for shareable files. Implement strict validation to ensure the path is within the allowed scope and does not point to sensitive system files or directories.	LLM	skill.json:15
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/pendzoncymisio/synapse/src/logic.py:124
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/pendzoncymisio/synapse/src/logic.py:343
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/pendzoncymisio/synapse/src/logic.py:210
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/pendzoncymisio/synapse/src/network.py:219
MEDIUM	Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/pendzoncymisio/synapse/src/seeder_client.py:6
MEDIUM	Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/pendzoncymisio/synapse/src/seeder_daemon.py:13
MEDIUM	Access to sensitive OpenClaw configuration file The `src/config.py` module contains functions (`get_openclaw_config`, `get_skill_env_vars`) that read `~/.openclaw/openclaw.json`. This file can store sensitive configuration, including environment variables for other skills. If the Synapse skill is compromised, it could read and potentially exfiltrate this sensitive information, leading to broader system compromise. Implement a more granular permission model for accessing OpenClaw configuration files. Skills should only have access to their own configuration and not to global or other skill-specific sensitive data unless explicitly granted and justified by the user or platform.	LLM	src/config.py:144
MEDIUM	Storage of Post-Quantum identity private keys on disk The skill generates and stores ML-DSA-87 or Ed25519 private keys in `~/.openclaw/identity/`. While file permissions are correctly set to `0o600` for the private key, the presence of these cryptographic keys on the filesystem makes them a high-value target. An attacker who achieves local filesystem access could harvest these keys, impersonate the agent, or forge attestations. Explore options for hardware-backed key storage (e.g., TPM, HSM) or secure enclave solutions where available. If keys must reside on disk, ensure they are encrypted at rest with a strong, user-provided passphrase, and that the passphrase is not stored alongside the keys.	LLM	src/identity.py:136
INFO	Unpinned `uv_build` dependency range The `pyproject.toml` specifies `uv_build>=0.9.18,<0.10.0`. While this is a minor version range, it still allows for new versions to be installed automatically. If a new version within this range introduces a vulnerability, it could affect the skill without explicit review. Pin `uv_build` to an exact version (e.g., `uv_build==0.9.18`) to ensure deterministic builds and prevent unexpected changes from upstream dependencies.	LLM	pyproject.toml:70
INFO	Skill code hosted in external, non-OpenClaw repository The manifest indicates the skill's repository is `https://github.com/Pendzoncymisio/Synapse`, which is external to the OpenClaw project. This means the skill's source code is maintained by a third party and may not undergo the same level of security review or adhere to OpenClaw's security standards, increasing the overall supply chain risk. For critical skills, consider mirroring the repository or performing regular, in-depth security audits of the external codebase. Ideally, skills should be hosted within the OpenClaw ecosystem for better control and vetting.	LLM	Manifest

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e88688a00a31d911.svg)](https://skillshield.io/report/e88688a00a31d911)