Security Audit

universal-profile

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

universal-profile received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 25 findings: 3 critical, 10 high, 10 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Credential harvesting, Unsafe deserialization / dynamic eval.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

70%

Dependency Graph

91%

LLM Behavioral Safety

68%

Behavioral Risk Signals

Filesystem Write

5 findings

Shell Execution

21 findings

Dynamic Code

18 findings

Excessive Permissions

3 findings

Security Findings25

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/frozeman/universal-profile/lib/config.js:219
CRITICAL	Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/frozeman/universal-profile/SKILL.md:61
CRITICAL	Potential Command Injection in macOS Keychain Retrieval Example The `SKILL.md` documentation provides a Node.js code snippet demonstrating how to retrieve a private key from the macOS Keychain using `child_process.execSync`. The `controllerAddress` variable is interpolated directly into the shell command string. If `controllerAddress` is derived from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands, leading to remote code execution or data exfiltration on the host system where this code is executed. Ensure that any user-provided input (like `controllerAddress`) is strictly validated and sanitized (e.g., using a strict regex for Ethereum addresses) before being interpolated into shell commands. Prefer using safer alternatives to `execSync` when dealing with user input, or pass arguments as an array if the underlying command-line tool supports it to prevent shell interpretation. Add a prominent warning in the documentation about the critical importance of input sanitization.	LLM	SKILL.md:60
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/constants.js:31
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/constants.js:63
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/constants.js:329
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/execute/direct.js:43
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/execute/direct.js:73
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/execute/index.js:4
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp7.js:4
HIGH	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp8.js:4
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/frozeman/universal-profile/SKILL.md:35
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/frozeman/universal-profile/SKILL.md:37
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/execute/relay.js:124
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/permissions.js:103
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/provider.js:4
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp7.js:70
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp7.js:100
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp7.js:159
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp8.js:29
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp8.js:57
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/frozeman/universal-profile/lib/tokens/lsp8.js:83
MEDIUM	Unpinned npm dependency version Dependency '@lukso/eip191-signer.js' is not pinned to an exact version ('^0.2.5'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/frozeman/universal-profile/package.json
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/frozeman/universal-profile/package.json
LOW	Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for its dependencies (e.g., `ethers: "^6.9.0"`). This allows `npm` to install minor or patch updates automatically. While convenient, it introduces a supply chain risk where a malicious or buggy update in a dependency's minor/patch version could be pulled in without explicit review, potentially leading to unexpected behavior or security vulnerabilities. For critical applications, exact pinning is generally recommended. Pin dependencies to exact versions (e.g., `"ethers": "6.9.0"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Commit the `package-lock.json` file to version control to further lock down the dependency tree. Regularly audit and manually update dependencies.	LLM	package.json:16

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7cbd956aecd95f08.svg)](https://skillshield.io/report/7cbd956aecd95f08)