Trust Assessment
voice-devotional received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 41 findings: 18 critical, 10 high, 12 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings41
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:73 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:85 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:95 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:106 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:149 | |
| CRITICAL | Persistence / self-modification instructions Piping content into crontab Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:99 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch-checkin.js:81 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch.py:98 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch.py:128 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch.py:257 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/generate-morning-briefing.js:11 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch-checkin.js:17 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/skill-discovery-agent.js:13 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch-checkin.js:54 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/scripts/overwatch-checkin.js:127 | |
| CRITICAL | Prompt Injection via Workspace Context in Sub-Agent Task The `generate-morning-briefing.js` script embeds the `workspaceContext` (read from local files like `MEMORY.md`, `SOUL.md`, `TOOLS.md`, and daily logs) directly into the `task` field of a sub-agent's task descriptor. If the sub-agent is an LLM, and any of these local files contain adversarial instructions or manipulative text, it could lead to prompt injection, allowing an attacker to hijack the sub-agent's behavior or extract further information. Implement robust input sanitization and validation for any data incorporated into LLM prompts. Consider using structured data formats or dedicated prompt templates that clearly delineate user input from system instructions. Avoid directly concatenating untrusted or potentially manipulated content into LLM prompts. | LLM | scripts/generate-morning-briefing.js:145 | |
| CRITICAL | Unverified Binary Download and Execution from GitHub The `claude-code-updater.sh` script downloads a binary (`claude-code`) from a GitHub release URL constructed using a parsed `tag_name`. It then makes this downloaded file executable and runs it. This process is highly vulnerable to supply chain attacks: if the GitHub repository `anthropics/claude-code` is compromised, or if the `tag_name` parsing is flawed, malicious code could be downloaded and executed with the permissions of the user running the script. Avoid direct execution of unverified binaries downloaded from external sources. Implement cryptographic signature verification (e.g., GPG signatures) for downloaded binaries. Consider using package managers with built-in integrity checks. Isolate execution in a sandboxed environment if verification is not possible. | LLM | scripts/claude-code-updater.sh:39 | |
| CRITICAL | Automated Skill Installation from External Hub The `skill-discovery-agent.js` script is designed to automatically search for, security scan, and install skills from 'ClawdHub'. This automated installation process, even with a preceding 'security-scanner' check, presents a significant supply chain risk. A compromise of ClawdHub or a vulnerability in the 'security-scanner' skill could lead to the installation and execution of malicious skills on the agent's system. Implement a human review and approval step before any new skills are installed. Ensure the 'security-scanner' skill is robust and regularly updated. Consider sandboxing newly installed skills to limit their potential impact. Implement strict allow-listing for trusted skill sources. | LLM | scripts/skill-discovery-agent.js:243 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'detect_motion'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/scripts/overwatch.py:128 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'capture_frame'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/scripts/overwatch.py:98 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/scripts/overwatch.py:257 | |
| HIGH | Potential data exfiltration: file read + network send Function 'send_telegram_photo' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/snail3d/voice-devotional/scripts/overwatch.py:58 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:85 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/snail3d/voice-devotional/scripts/install-morning-briefing.sh:95 | |
| HIGH | Sensitive Workspace Context Exfiltration to Sub-Agent and Telegram The `generate-morning-briefing.js` script reads potentially sensitive files from the workspace (`MEMORY.md`, `SOUL.md`, `TOOLS.md`, and recent daily logs) and embeds this 'workspaceContext' directly into a task descriptor for a sub-agent. This task descriptor is then written to a file and explicitly marked for a sub-agent whose output is directed to a Telegram group. This constitutes a clear path for exfiltrating internal agent state and potentially sensitive user data to an external messaging platform. Review the necessity of including full workspace context in the sub-agent task. Implement strict sanitization or redaction of sensitive information before embedding it in prompts or sending it to external services. Ensure the Telegram chat ID is controlled and trusted, and consider end-to-end encryption for sensitive communications. | LLM | scripts/generate-morning-briefing.js:139 | |
| HIGH | Webcam Image and AI Analysis Exfiltration to Groq and Telegram The `overwatch-checkin.js` script captures images from the system's webcam and sends them to the Groq Vision API for analysis. The captured images and the AI-generated descriptions are then sent to a configured Telegram chat. If the captured images contain sensitive information (e.g., private spaces, documents, individuals), this constitutes data exfiltration to an external AI service and an external messaging platform. Ensure that the webcam is only used in non-sensitive environments or when explicit user consent is given. Implement strict access controls for the Telegram chat ID. Consider local-only processing for sensitive images or redacting sensitive areas before sending to external services. | LLM | scripts/overwatch-checkin.js:80 | |
| HIGH | Webcam Image Exfiltration and Prompt Injection via Telegram The `overwatch.py` script captures images from the webcam and sends them to a Telegram chat. The caption for the Telegram message includes explicit instructions for an LLM recipient ('Reply with: 'analyze' - I'll check what I see', 'stream' - Get live view link'). This constitutes data exfiltration of visual information and a prompt injection risk if the Telegram recipient is an LLM and the caption can be manipulated. Ensure that the webcam is only used in non-sensitive environments or with explicit user consent. Implement strict access controls for the Telegram chat ID. Avoid embedding direct instructions for an LLM in captions that might be exposed to untrusted input or channels. Use structured tool calls instead of natural language instructions for LLM interaction. | LLM | scripts/overwatch.py:100 | |
| HIGH | Excessive Permissions for Cron Job Installation The `install-morning-briefing.sh` script uses `sudo` to modify system timezone settings and directly modifies the user's crontab to schedule a daily briefing. While this is typical for an installation script, it grants the skill broad system modification capabilities. If the skill or this installation script were compromised, these elevated permissions could be abused to gain persistent access or execute arbitrary commands on the system. Minimize the use of `sudo` to only strictly necessary operations. Ensure that any scripts executed with elevated privileges are thoroughly vetted and secured. Consider using less privileged scheduling mechanisms or requiring explicit user confirmation for system-level changes. | LLM | scripts/install-morning-briefing.sh:22 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/snail3d/voice-devotional/scripts/skill-discovery-agent.js:89 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/snail3d/voice-devotional/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/voice-devotional/scripts/overwatch.py:56 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/snail3d/voice-devotional/scripts/overwatch.py:82 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/voice-devotional/scripts/claude-code-updater.sh:8 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_API Access to sensitive environment variable '$GITHUB_API' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/voice-devotional/scripts/claude-code-updater.sh:21 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/voice-devotional/scripts/motion-detect.sh:5 | |
| MEDIUM | Unpinned npm dependency version Dependency 'axios' is not pinned to an exact version ('^1.6.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/snail3d/voice-devotional/package.json | |
| MEDIUM | Telegram Credentials Loaded from Local File The `overwatch.py` script attempts to load Telegram bot credentials (token and chat ID) from a local file `~/.clawdbot/credentials/telegram.json` if environment variables are not set. While this is a common practice, it introduces a risk if the file permissions are not properly secured, allowing unauthorized access to the bot's credentials by other processes or users on the system. Ensure that the `~/.clawdbot/credentials/telegram.json` file has restrictive file permissions (e.g., `chmod 600`) to prevent unauthorized reading. Prefer using environment variables or a secure secrets management system over plain-text files for sensitive credentials. | LLM | scripts/overwatch.py:30 | |
| MEDIUM | Command Injection Vulnerability in Capture Script The `capture.sh` script directly uses the `$OUTPUT` variable (derived from the first positional argument) and the `$DEVICE` variable (from `WEBCAM_DEVICE` environment variable) in `imagesnap` and `ffmpeg` commands without proper sanitization. If this script is invoked with untrusted input for either the output path or the device name, an attacker could inject arbitrary shell commands. Sanitize all external inputs before using them in shell commands. For file paths, use `printf %q` or similar methods to properly quote arguments. For device names, validate against a known list of safe devices or ensure they cannot contain shell metacharacters. Alternatively, rewrite the script in a language that offers safer subprocess execution (e.g., Python's `subprocess.run` with `shell=False`). | LLM | scripts/capture.sh:12 | |
| MEDIUM | Local HTTP Server for Live Camera Stream The `overwatch.py` script starts a simple HTTP server (`HTTPServer`) to serve a live camera stream (`/stream.jpg`). This opens a network port on the local machine and exposes the camera feed. If the server is not properly secured (e.g., bound to `localhost` only, authentication, encryption), it could allow unauthorized access to the live stream from other devices on the network or even the internet. Ensure the HTTP server is bound only to `127.0.0.1` (localhost) unless external access is explicitly required and secured. Implement authentication and HTTPS for any externally accessible camera streams. Consider using a more robust web server framework with built-in security features. | LLM | scripts/overwatch.py:120 | |
| MEDIUM | Email Content Analysis and Reporting The `mail-hygiene.sh` script fetches and analyzes full email content (from, subject, body) from Gmail. It then generates a detailed report (`REPORT_FILE`, `SUMMARY_FILE`) based on this content. While the script's direct output is to local files, other scripts (`mail-hygiene-reporter.sh`) are designed to read these reports and prepare messages for a 'main agent', which implies potential onward transmission to external services like Telegram. This creates a data exfiltration risk if sensitive email content is processed and then communicated to an untrusted destination. Review the necessity of including full email content in reports that may be transmitted externally. Implement redaction or summarization of sensitive information before reporting. Ensure that the 'main agent' and its communication channels are trusted and secure. | LLM | scripts/mail-hygiene.sh:120 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/snail3d/voice-devotional/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/8d65e8b924e17964)
Powered by SkillShield