Security Audit

voicenotes

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

voicenotes received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via `--since` argument in `fetch-notes.sh`, Command Injection via `--output-dir` argument in `sync-to-markdown.sh`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Command Injection via `--since` argument in `fetch-notes.sh` The `SINCE` variable, derived directly from user input via the `--since` argument, is interpolated into a shell string that forms the JSON request body. This allows for command injection if the input contains shell metacharacters like `$(command)`, leading to arbitrary code execution. The `SINCE` variable should be safely embedded into the JSON structure. A robust solution involves using `jq` to construct the JSON object, which prevents both shell and JSON injection. For example: ```bash JSON_DATA='{"obsidian_deleted_recording_ids": []}' if [ -n "$SINCE" ]; then JSON_DATA=$(echo "$JSON_DATA" \| jq --arg s "$SINCE" '.last_synced_note_updated_at = $s') fi curl -d "$JSON_DATA" ... ```	LLM	scripts/fetch-notes.sh:23
CRITICAL	Command Injection via `--output-dir` argument in `sync-to-markdown.sh` The `OUTPUT_DIR` variable, which is directly controlled by user input via the `--output-dir` argument, is used without sufficient sanitization in the `mkdir -p "$OUTPUT_DIR"` command. An attacker can inject arbitrary shell commands by providing a malicious string for `OUTPUT_DIR` (e.g., `--output-dir "; rm -rf /"`), leading to arbitrary code execution. The `OUTPUT_DIR` variable must be strictly sanitized to ensure it only contains valid directory characters and does not contain shell metacharacters. A common approach is to filter characters or validate the path components. For example, to allow only alphanumeric, hyphens, underscores, and dots, and ensure it's a relative path: ```bash SANITIZED_OUTPUT_DIR=$(echo "$OUTPUT_DIR" \| tr ' ' '-' \| tr -cd '[:alnum:]/_-.' \| sed 's/\.\.\///g' \| sed 's/^\///g') if [ -z "$SANITIZED_OUTPUT_DIR" ]; then echo "Error: Invalid output directory specified." >&2 exit 1 fi OUTPUT_DIR="./$SANITIZED_OUTPUT_DIR" mkdir -p "$OUTPUT_DIR" ```	LLM	scripts/sync-to-markdown.sh:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/93b5ba62dd511423.svg)](https://skillshield.io/report/93b5ba62dd511423)