Trust Assessment
task-status received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 3 critical, 3 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Potential Command Injection via external CLI call.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/mightyprime1/task-status/scripts/send_status.py:139 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/mightyprime1/task-status/scripts/send_status_with_logging.py:171 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/mightyprime1/task-status/scripts/test_send_status.py:37 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/mightyprime1/task-status/scripts/send_status.py:139 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'send_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/mightyprime1/task-status/scripts/send_status_with_logging.py:171 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_send_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/mightyprime1/task-status/scripts/test_send_status.py:37 | |
| MEDIUM | Potential Command Injection via external CLI call The `send_status.py` and `send_status_with_logging.py` scripts attempt to execute the `clawdbot` command-line interface using `subprocess.run`. While arguments are passed as a list (mitigating direct shell injection via message content), the path to the `clawdbot` executable is resolved using `shutil.which()` or hardcoded paths. An attacker who can manipulate the system's `PATH` environment variable or place a malicious executable named `clawdbot` in one of the expected locations (e.g., `C:\Users\Luffy\AppData\Roaming\npm\`) could potentially execute arbitrary commands. This relies on a pre-compromised environment or specific system manipulation. 1. Strongly prefer WebSocket communication and ensure its robustness. 2. If CLI fallback is necessary, validate that `clawdbot_path` points to a known, trusted location (e.g., by checking its hash or ensuring it's within a secure, non-user-writable system directory). 3. If possible, run the skill in an environment with a restricted `PATH` and limited write access to system directories. | LLM | scripts/send_status.py:117 | |
| MEDIUM | Potential Command Injection via external CLI call The `send_status.py` and `send_status_with_logging.py` scripts attempt to execute the `clawdbot` command-line interface using `subprocess.run`. While arguments are passed as a list (mitigating direct shell injection via message content), the path to the `clawdbot` executable is resolved using `shutil.which()` or hardcoded paths. An attacker who can manipulate the system's `PATH` environment variable or place a malicious executable named `clawdbot` in one of the expected locations (e.g., `C:\Users\Luffy\AppData\Roaming\npm\`) could potentially execute arbitrary commands. This relies on a pre-compromised environment or specific system manipulation. 1. Strongly prefer WebSocket communication and ensure its robustness. 2. If CLI fallback is necessary, validate that `clawdbot_path` points to a known, trusted location (e.g., by checking its hash or ensuring it's within a secure, non-user-writable system directory). 3. If possible, run the skill in an environment with a restricted `PATH` and limited write access to system directories. | LLM | scripts/send_status_with_logging.py:147 | |
| LOW | Unacknowledged local logging of user-provided status messages The `send_status_with_logging.py` script, designated as the 'production version,' logs all formatted status messages, including user-provided `message` and `details`, to local files (`telegram_messages.jsonl` and `task_status.jsonl`) in a hardcoded directory (`C:/Users/Luffy/clawd/logs`). The skill's public description (`SKILL.md`) does not inform the user about this logging behavior. If users include sensitive information in their status messages, this data will be persistently stored on disk without explicit consent or awareness. 1. Clearly inform users in the skill's documentation (`SKILL.md`) that status messages are logged locally. 2. Provide an option to disable logging or configure the log file location. 3. Advise users not to include sensitive information in status messages, or implement mechanisms to redact/sanitize potentially sensitive data before logging. | LLM | scripts/send_status_with_logging.py:20 | |
| INFO | Unpinned `websocket` dependency The scripts `send_status.py`, `send_status_websocket.py`, and `send_status_with_logging.py` import the `websocket` library without specifying a version. This makes the skill vulnerable to supply chain attacks if a malicious version of the `websocket` package is published or if backward-incompatible changes are introduced in future versions. Pin the `websocket` dependency to a specific, known-good version in a `requirements.txt` file or similar dependency management system. | LLM | scripts/send_status.py:19 | |
| INFO | Unpinned `websocket` dependency The scripts `send_status.py`, `send_status_websocket.py`, and `send_status_with_logging.py` import the `websocket` library without specifying a version. This makes the skill vulnerable to supply chain attacks if a malicious version of the `websocket` package is published or if backward-incompatible changes are introduced in future versions. Pin the `websocket` dependency to a specific, known-good version in a `requirements.txt` file or similar dependency management system. | LLM | scripts/send_status_websocket.py:10 | |
| INFO | Unpinned `websocket` dependency The scripts `send_status.py`, `send_status_websocket.py`, and `send_status_with_logging.py` import the `websocket` library without specifying a version. This makes the skill vulnerable to supply chain attacks if a malicious version of the `websocket` package is published or if backward-incompatible changes are introduced in future versions. Pin the `websocket` dependency to a specific, known-good version in a `requirements.txt` file or similar dependency management system. | LLM | scripts/send_status_with_logging.py:12 |
Scan History
Embed Code
[](https://skillshield.io/report/d2067db37affe9ec)
Powered by SkillShield