Trust Assessment
wechat-search received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 5 critical, 8 high, 1 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jixsonwang/wechat-search/wechat_search.py:93 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jixsonwang/wechat-search/wechat_search_fixed.py:87 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jixsonwang/wechat-search/wechat_search_fixed.py:110 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jixsonwang/wechat-search/wechat_search_simple.py:80 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/jixsonwang/wechat-search/wechat_search_fixed.py:78 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/jixsonwang/wechat-search/wechat_search_fixed.py:78 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'search'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jixsonwang/wechat-search/wechat_search.py:93 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'tavily_search_wechat'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jixsonwang/wechat-search/wechat_search_fixed.py:87 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'web_fetch_wechat'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jixsonwang/wechat-search/wechat_search_fixed.py:110 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'search_wechat_articles'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/jixsonwang/wechat-search/wechat_search_simple.py:80 | |
| HIGH | User input passed to external Node.js script via subprocess The `search` method constructs a search query using user-provided input (`query`) and passes it directly as an argument to an external Node.js script (`/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs`) via `subprocess.run`. While `subprocess.run` with a list of arguments mitigates direct shell injection, the Node.js script itself might be vulnerable if it processes its arguments in an unsafe manner (e.g., using `eval()`, `child_process.exec()`, or constructing internal shell commands). An attacker could craft the `query` to potentially execute arbitrary code within the Node.js environment or manipulate the script's behavior. Review the source code of `/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs` to ensure it safely handles all arguments and does not perform any unsafe evaluations or shell executions with user-controlled input. If the Node.js script is not controlled by the skill developer, consider using a safer API or a more robust sanitization method for the `query` before passing it to the external script. Ideally, the `tavily-search` skill should expose a Python API that can be called directly, rather than relying on `subprocess.run` to invoke its Node.js script. | LLM | wechat_search.py:70 | |
| HIGH | User input passed to external Node.js script via subprocess The `tavily_search_wechat` method constructs a search query using user-provided input (`query`) and passes it directly as an argument to an external Node.js script (`/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs`) via `subprocess.run`. While `subprocess.run` with a list of arguments mitigates direct shell injection, the Node.js script itself might be vulnerable if it processes its arguments in an unsafe manner (e.g., using `eval()`, `child_process.exec()`, or constructing internal shell commands). An attacker could craft the `query` to potentially execute arbitrary code within the Node.js environment or manipulate the script's behavior. Review the source code of `/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs` to ensure it safely handles all arguments and does not perform any unsafe evaluations or shell executions with user-controlled input. If the Node.js script is not controlled by the skill developer, consider using a safer API or a more robust sanitization method for the `query` before passing it to the external script. Ideally, the `tavily-search` skill should expose a Python API that can be called directly, rather than relying on `subprocess.run` to invoke its Node.js script. | LLM | wechat_search_fixed.py:96 | |
| HIGH | User input passed to external Node.js script via subprocess The `search_wechat_articles` function constructs a search query using user-provided input (`query`) and passes it directly as an argument to an external Node.js script (`/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs`) via `subprocess.run`. While `subprocess.run` with a list of arguments mitigates direct shell injection, the Node.js script itself might be vulnerable if it processes its arguments in an unsafe manner (e.g., using `eval()`, `child_process.exec()`, or constructing internal shell commands). An attacker could craft the `query` to potentially execute arbitrary code within the Node.js environment or manipulate the script's behavior. Review the source code of `/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs` to ensure it safely handles all arguments and does not perform any unsafe evaluations or shell executions with user-controlled input. If the Node.js script is not controlled by the skill developer, consider using a safer API or a more robust sanitization method for the `query` before passing it to the external script. Ideally, the `tavily-search` skill should expose a Python API that can be called directly, rather than relying on `subprocess.run` to invoke its Node.js script. | LLM | wechat_search_simple.py:70 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.25.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/jixsonwang/wechat-search/requirements.txt:2 | |
| LOW | Skill attempts to read API key from user's OpenClaw config file The `wechat_search_fixed.py` skill attempts to load the `TAVILY_API_KEY` from `~/.openclaw/tavily-config.json` if it's not found in environment variables. While this is a common fallback for configuration, it grants the skill the ability to read files from a user's OpenClaw configuration directory. This could be considered an excessive permission if the skill's core functionality does not strictly require reading arbitrary files from this location, or if a malicious skill could leverage this to exfiltrate other sensitive configuration data. Ensure that skills are granted only the minimum necessary permissions. If the `TAVILY_API_KEY` is critical, rely solely on environment variables or a dedicated, secure credential management system provided by the platform. If reading from `~/.openclaw/tavily-config.json` is a design choice, ensure the file is properly secured and that the skill only attempts to read this specific file. | LLM | wechat_search_fixed.py:89 |
Scan History
Embed Code
[](https://skillshield.io/report/fd9ac7b65a7d561e)
Powered by SkillShield