Trust Assessment
voice-ui received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $OPENAI_API_KEY, Unpinned npm dependency version, Skill highly vulnerable to prompt injection due to self-evolving code modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill highly vulnerable to prompt injection due to self-evolving code modification The skill's core functionality involves an AI modifying its own CSS/JS code and committing changes based on voice instructions. This direct interaction between user input (via voice, interpreted by LLM) and code modification creates a critical vulnerability for prompt injection. A malicious user could craft voice commands designed to manipulate the underlying LLM into generating harmful code, deleting files, or exfiltrating data, bypassing intended safety measures. Implement robust input sanitization and validation for all voice commands before they are processed by the LLM. Use strict guardrails and content filters for LLM outputs, especially when those outputs are used to generate or modify code. Isolate the code modification process in a highly sandboxed environment with minimal permissions. Consider a human review step for any AI-generated code changes. | LLM | SKILL.md:30 | |
| CRITICAL | AI has excessive write permissions to source code and performs automatic Git commits The skill's description states it can "自己進化" (self-evolve) by modifying CSS/JS files and performing "自動Gitコミット" (automatic Git commits) based on AI instructions. This grants the AI (and by extension, potentially a malicious user via prompt injection) write access to the skill's source code and the ability to execute Git commands. This is an extremely high-risk permission, allowing for arbitrary code modification, injection of malicious code, or deletion of files. The mechanism for code modification is likely vulnerable to command injection if not properly sandboxed and validated. Implement strict sandboxing for any code modification capabilities. All AI-generated code changes must be reviewed, validated, and executed within a highly restricted environment. Avoid direct execution of AI-generated commands. Consider a human-in-the-loop approval process for code changes and Git commits. Limit the scope of files the AI can modify. | LLM | SKILL.md:30 | |
| HIGH | Skill harvests API keys from host's OpenClaw configuration file The `start.sh` script explicitly reads `OPENAI_API_KEY` from `~/.openclaw/openclaw.json` using shell commands (`cat`, `grep`, `cut`) and Python. This grants the skill direct access to sensitive API keys stored on the host system. While intended for functionality, it poses a significant risk if the skill is compromised, as these harvested credentials could then be exfiltrated or misused. Avoid direct parsing of host configuration files for credentials. Instead, rely on environment variables explicitly passed to the skill or a secure credential management system provided by the host platform. If direct access is unavoidable, ensure the parsing is robust, sandboxed, and that the skill's access to the configuration file is strictly limited to only the necessary keys. | LLM | start.sh:5 | |
| MEDIUM | Sensitive environment variable access: $OPENAI_API_KEY Access to sensitive environment variable '$OPENAI_API_KEY' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/yukihamada/voice-ui/start.sh:7 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/yukihamada/voice-ui/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/52985734c2b81241)
Powered by SkillShield