Trust Assessment
tootoo received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Untrusted content written to LLM context files (SOUL.md, USER.md).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content written to LLM context files (SOUL.md, USER.md) The skill is designed to fetch `soul_md` and `user_md` content from an external, untrusted source (`https://tootoo.ai`) via `CodexFetcher` and write it directly to `SOUL.md` and `USER.md` in the skill's workspace using `SoulWriter`. These files are typically read by the host LLM to influence its behavior. An attacker controlling the `tootoo.ai` service (or compromising it) could inject arbitrary instructions, system prompts, or malicious content into the LLM's context, leading to prompt injection, data exfiltration, or other harmful actions by the agent. The `TODO` in `src/handler.ts` explicitly indicates this functionality will be implemented. 1. **Content Sanitization/Validation:** Implement strict validation and sanitization of `soul_md` and `user_md` content fetched from `tootoo.ai` before writing it to disk. This might involve whitelisting allowed markdown elements, removing executable code, or filtering specific keywords/patterns known to be used in prompt injection. 2. **User Confirmation:** Require explicit user confirmation before writing potentially sensitive content to LLM context files. 3. **Isolation/Sandboxing:** Ensure that the `SOUL.md` and `USER.md` files are written to a sandboxed, skill-specific directory, and that the host LLM's interpretation of these files is also sandboxed or limited. 4. **Trust Boundary:** Clearly define the trust boundary. If `tootoo.ai` is considered untrusted, its output should never directly influence the LLM without strict controls. | LLM | src/handler.ts:10 | |
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/retieflouw/tootoo-skill/package.json | |
| MEDIUM | Potential path traversal in external URL construction The `CodexFetcher` constructs a URL using a user-provided `username` directly: `https://tootoo.ai/${username}-TooYou.openclaw.json`. If the `username` can contain path traversal sequences (e.g., `../`), it might be possible to request arbitrary files or paths on the `tootoo.ai` server, potentially leading to information disclosure or other server-side vulnerabilities if the server is not properly secured against such requests. While the `baseUrl` is hardcoded, the `username` is dynamic. 1. **Input Validation:** Strictly validate the `username` input to ensure it only contains allowed characters (e.g., alphanumeric, hyphens, underscores) and does not contain path separators (`/`, `\`) or path traversal sequences (`..`). 2. **URL Encoding:** Ensure the `username` component of the URL is properly URL-encoded before being concatenated. | LLM | src/lib/codex-fetcher.ts:7 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/retieflouw/tootoo-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/ca586cc413c555c5)
Powered by SkillShield