Trust Assessment
treelisty received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 0 critical, 3 high, 8 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Arbitrary File Read via User-Controlled Input Path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 51/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Read via User-Controlled Input Path The `scripts/treelisty-cli.js` script's `readInput` function directly uses a user-provided `input` path without validation or sanitization. This allows an attacker to specify any file path on the system, leading to the reading and potential exfiltration of sensitive files accessible to the `node` process. Implement strict validation for `inputPath` to ensure it only points to expected locations or files. Consider using a sandbox or restricting file access for the `node` process. If reading arbitrary files is intended, clearly document the security implications and require explicit user confirmation for sensitive paths. | LLM | scripts/treelisty-cli.js:80 | |
| HIGH | Arbitrary File Write via User-Controlled Output Path The `scripts/treelisty-cli.js` script's `cmdExport` function uses a user-provided `outputPath` directly with `fs.writeFileSync`. This allows an attacker to specify any file path on the system, potentially overwriting critical system files or writing malicious content to arbitrary locations. Implement strict validation for `outputPath` to ensure it only points to expected, non-sensitive locations (e.g., a designated output directory). Prevent writing to absolute paths or outside a defined working directory. | LLM | scripts/treelisty-cli.js:109 | |
| HIGH | Credential Exfiltration via User-Controlled WebSocket Host The `scripts/push.js` module allows sending a `token` (if provided) to a WebSocket host specified by the user (`options.host` and `options.port`). If an AI agent is configured to pass a sensitive token to this skill, a malicious prompt could instruct the skill to connect to an attacker-controlled WebSocket server, thereby exfiltrating the token. If a token is sensitive, restrict the `host` parameter to a whitelist of trusted domains or IP addresses. Alternatively, ensure that the agent does not pass sensitive tokens to skills where the destination host is user-controlled. | LLM | scripts/push.js:30 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/decompose.js:304 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/export.js:171 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/treelisty-cli.js:261 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/validate.js:12 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/validate.js:142 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/validate.js:315 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/prairie2cloud/treelisty-openclaw-skill/scripts/validate.js:379 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.16.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/prairie2cloud/treelisty-openclaw-skill/package.json | |
| LOW | Unpinned Dependency in package.json The `package.json` file specifies the `ws` dependency with a caret range (`^8.16.0`). While `package-lock.json` pins the exact version, relying on caret ranges in `package.json` can lead to unexpected minor or patch updates during installation, potentially introducing new vulnerabilities or breaking changes if the `package-lock.json` is not strictly enforced or is missing. For security-sensitive skills, it's best practice to pin exact versions in `package.json`. Change the `ws` dependency in `package.json` to an exact version (e.g., `"ws": "8.19.0"`) to ensure deterministic dependency resolution. | LLM | package.json:9 |
Scan History
Embed Code
[](https://skillshield.io/report/295c88cbf3ceed3e)
Powered by SkillShield