Trust Assessment
tools-marketplace received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned npm dependency for mcp-remote, Shell execution (`sh -c`) used for external tool with API key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned npm dependency for mcp-remote The `scripts/setup.sh` script installs the `mcp-remote` package globally using `npm install -g mcp-remote`. This command does not specify a version, meaning it will always install the latest available version. If a malicious update is pushed to the `mcp-remote` package on npm, users running this setup script could unknowingly install and execute compromised code with elevated privileges (as `npm install -g` often requires sudo or runs in a privileged context, and the script itself is executed by the user). This introduces a significant supply chain risk. Pin the version of `mcp-remote` to a known good version (e.g., `npm install -g mcp-remote@1.2.3`) or use a lockfile mechanism if possible. Regularly audit the specified version for vulnerabilities. | LLM | scripts/setup.sh:49 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/preston-thiele/danube-tools/scripts/setup.sh:18 | |
| MEDIUM | Shell execution (`sh -c`) used for external tool with API key The `scripts/setup.sh` configures OpenClaw to execute the `mcp-remote` tool via `sh -c`. This means the command `mcp-remote https://mcp.danubeai.com/mcp --header "danube-api-key:$DANUBE_API_KEY"` is passed to a shell for interpretation and execution. While the command string is hardcoded by the developer, the use of `sh -c` introduces a dependency on shell parsing. If the `$DANUBE_API_KEY` environment variable (which is sensitive) were to contain shell metacharacters, it could lead to command injection. Even without direct injection, executing a critical tool with an API key through a shell wrapper can expose the command to a broader environment than direct execution, potentially increasing the attack surface. Configure OpenClaw to directly execute the `mcp-remote` binary and pass arguments as separate array elements. This avoids shell parsing and reduces the attack surface. For example: `{"command": "mcp-remote", "args": ["https://mcp.danubeai.com/mcp", "--header", "danube-api-key:$DANUBE_API_KEY"]}`. Ensure `mcp-remote` is installed in a secure, known location and its execution path is controlled. | LLM | scripts/setup.sh:90 | |
| MEDIUM | Direct API key input and storage by setup script The `scripts/setup.sh` script directly prompts the user for their `DANUBE_API_KEY` using `read -p` and then appends it to `~/.openclaw/.env`. While the `.env` file is a common and relatively secure place for local secrets, the script itself is handling a sensitive credential directly. If this script were compromised or modified, it could capture the API key before it's written to the `.env` file. Users are also explicitly instructed to run this script from the `SKILL.md`, making it a primary entry point for credential handling. If possible, integrate with OpenClaw's native credential management system (if one exists) rather than managing `.env` files directly. Alternatively, provide clear instructions for the user to manually add the API key to their `.env` file, reducing the script's direct interaction with the secret. Ensure the script has appropriate file permissions and is only run from a trusted source. | LLM | scripts/setup.sh:34 |
Scan History
Embed Code
[](https://skillshield.io/report/b5001eb32b8d7a51)
Powered by SkillShield