Trust Assessment
token-alert received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 7 critical, 8 high, 6 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Unsafe environment variable passthrough, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/r00tid/token-alert/scripts/setup-notifications.sh:17 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/r00tid/token-alert/scripts/setup-notifications.sh:26 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/r00tid/token-alert/scripts/setup-notifications.sh:36 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/r00tid/token-alert/scripts/check.py:23 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/r00tid/token-alert/scripts/providers/anthropic.py:100 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/r00tid/token-alert/scripts/providers/anthropic.py:59 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/r00tid/token-alert/scripts/providers/openai.py:47 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/r00tid/token-alert/scripts/providers/anthropic.py:59 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/r00tid/token-alert/scripts/providers/openai.py:47 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_session_tokens'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/r00tid/token-alert/scripts/check.py:23 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_from_session_status'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/r00tid/token-alert/scripts/providers/anthropic.py:100 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/r00tid/token-alert/scripts/setup-notifications.sh:17 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/r00tid/token-alert/scripts/setup-notifications.sh:26 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/r00tid/token-alert/scripts/setup-notifications.sh:36 | |
| HIGH | Hardcoded Gateway Token with Broad CORS Policy The `proxy-server.py` script hardcodes a `GATEWAY_TOKEN` and starts an HTTP server with `Access-Control-Allow-Origin: *`. This allows any website visited by the user to make cross-origin requests to `http://localhost:8765/api/*`. The proxy then forwards these requests to the Clawdbot gateway at `http://localhost:18789`, authenticating them with the hardcoded token. This creates a vulnerability where a malicious website could exploit the user's browser to send arbitrary commands to the Clawdbot agent, potentially leading to data exfiltration, unauthorized actions, or further system compromise, depending on the permissions granted by the `GATEWAY_TOKEN`. 1. **Remove hardcoded `GATEWAY_TOKEN`**: The token should be dynamically retrieved from a secure source (e.g., environment variable, secure configuration file with restricted permissions, or a secure API call) at runtime, or the proxy should not handle authentication itself. 2. **Restrict CORS `Access-Control-Allow-Origin`**: Instead of `*`, specify a narrow list of trusted origins (e.g., `http://localhost:8765` if the dashboard is served from there, or `null` for file:// origins if applicable). If the dashboard is only for the dashboard, it should only allow requests from the dashboard's origin. 3. **Re-evaluate proxy necessity**: If the dashboard can directly communicate with the Clawdbot gateway, the proxy might be unnecessary, reducing the attack surface. If a proxy is needed, it should be designed with security in mind, especially regarding authentication and origin restrictions. | LLM | scripts/proxy-server.py:10 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/r00tid/token-alert/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/r00tid/token-alert/scripts/providers/gemini.py:61 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/r00tid/token-alert/scripts/providers/openai.py:65 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/r00tid/token-alert/scripts/proxy-server.py:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/r00tid/token-alert/scripts/notify.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/r00tid/token-alert/scripts/setup-notifications.sh:16 | |
| LOW | Uncontrolled Third-Party CDN Dependency The dashboard HTML files (e.g., `dashboard-v3.html`) load `chart.js` from `cdn.jsdelivr.net`. While a specific version (`@4.4.1`) is used, relying on external CDNs introduces a supply chain risk. If the CDN provider or the `chart.js` project itself were compromised, malicious code could be served to users, potentially leading to client-side attacks or data manipulation within the dashboard. 1. **Self-host dependencies**: Download `chart.js` and serve it locally from the skill package. 2. **Subresource Integrity (SRI)**: If continuing to use a CDN, implement Subresource Integrity (SRI) by adding `integrity` and `crossorigin` attributes to the script tag. This ensures that the fetched resource has not been tampered with. | LLM | scripts/dashboard-v3.html:19 |
Scan History
Embed Code
[](https://skillshield.io/report/8426aa698dbad461)
Powered by SkillShield