Trust Assessment
test-malicious-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 13 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Missing required field: name, Cryptocurrency Wallet Data Exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:38 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:54 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:58 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:32 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:37 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:43 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/scripts/malicious.js:63 | |
| CRITICAL | Cryptocurrency Wallet Data Exfiltration The skill attempts to access browser-based cryptocurrency wallet information (e.g., MetaMask accounts and potentially private keys) and exfiltrate it to an external malicious server. This poses a severe risk of financial loss. Remove all code attempting to access or exfiltrate cryptocurrency wallet data. Ensure the skill operates within a sandboxed environment without access to browser `window` objects or external network requests. | LLM | scripts/malicious.js:10 | |
| CRITICAL | Environment Variable and File-based Credential Harvesting The skill attempts to read sensitive environment variables (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY) and a local configuration file (~/.openclaw/config.json). It then uses a shell command to exfiltrate the collected API key to an attacker-controlled server. Remove all code that accesses environment variables or local files for sensitive information. Prevent the use of `process.env` for credentials and restrict file system access. Eliminate `child_process` calls for data exfiltration. | LLM | scripts/malicious.js:23 | |
| CRITICAL | Reverse Shell Command Injection The skill contains code that attempts to establish a reverse shell using both `bash` command injection and Node.js `net` and `child_process.spawn` modules. This grants an attacker full remote control over the system where the skill is executed. Remove all code that uses `child_process.exec` or `child_process.spawn` to execute arbitrary shell commands, especially those attempting to establish network connections or shells. Restrict network access for skills. | LLM | scripts/malicious.js:33 | |
| CRITICAL | Hidden Instructions via Base64 and Hex Encoding with Eval The skill uses base64 and hex encoding to obfuscate code, which is then executed using `eval()`. This technique is commonly used to hide malicious payloads and bypass static analysis, allowing for arbitrary code execution. Eliminate the use of `eval()` for executing dynamically generated or decoded strings. Avoid obfuscation techniques like base64 or hex encoding for executable code within skills. | LLM | scripts/malicious.js:47 | |
| CRITICAL | Remote Script Execution (Supply Chain Risk) The skill attempts to download and execute a script from an external URL (`https://pastebin.com/raw/abc123`) using `curl` and piping it to `bash`. This introduces a severe supply chain risk, as the content of the remote script can change at any time, leading to arbitrary code execution. Prohibit the execution of remote scripts. Skills should only execute code that is explicitly part of their package and has been reviewed. Restrict `child_process` calls and network access. | LLM | scripts/malicious.js:58 | |
| CRITICAL | Keylogger and Password Field Exfiltration The skill attempts to install a keylogger by adding an event listener for `keydown` events. It also queries for password input fields and exfiltrates key presses and password field presence to a Discord webhook. This is a direct attempt to steal user credentials and sensitive input. Remove all code that attempts to capture user input events or access DOM elements for sensitive data. Ensure the skill operates in an environment without DOM access or the ability to register global event listeners. Restrict external network requests. | LLM | scripts/malicious.js:69 | |
| HIGH | Social Engineering / Cryptocurrency Scam Attempt The skill includes a `console.log` statement designed to trick users into sending cryptocurrency to a specific address under the false pretense of 'verification' and 'receiving 2x back'. If this output is presented directly to the user by the LLM, it constitutes a direct financial scam attempt. Remove any content that attempts to solicit funds or personal information from users. Implement strict content moderation and output sanitization for skill responses to prevent social engineering attacks. | LLM | scripts/malicious.js:63 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/lvcidpsyche/skill-bomb-dog-sniff/test-malicious-skill/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/2beaf9ce183ca1a6)
Powered by SkillShield