Security Audit

whisper

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

whisper received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 3 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection / Path Traversal via untrusted TARGET_AGENT in filenames, Command Injection via untrusted TARGET_AGENT in KDF salt generation, Command Injection via untrusted THEIR_X25519 in dead drop calculation.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

6 findings

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Command Injection / Path Traversal via untrusted TARGET_AGENT in filenames The user-provided `TARGET_AGENT` variable is directly interpolated into file paths for contact and session key storage. An attacker could craft `TARGET_AGENT` to include path traversal sequences (e.g., `../../`) or shell metacharacters (e.g., `$(command)`) to read/write arbitrary files or execute commands on the host system. This affects both the 'Discover an Agent' and 'Send Encrypted Message' functionalities. Sanitize `TARGET_AGENT` to only allow safe characters (e.g., alphanumeric, hyphens, underscores) and explicitly prevent path separators (`/`, `..`). Alternatively, use a more robust method for file naming that doesn't involve direct string interpolation of untrusted input, such as creating a temporary file and then moving it to a validated path.	LLM	SKILL.md:106
CRITICAL	Command Injection / Path Traversal via untrusted FROM in filenames The `FROM` field, extracted from an untrusted received message, is directly interpolated into the path for the session key file. An attacker could craft a malicious `FROM` value (e.g., `../../../../tmp/evil`) to cause path traversal or command injection when the agent attempts to decrypt a message, potentially leading to arbitrary file access or command execution. Sanitize `FROM` to only allow safe characters (e.g., alphanumeric, hyphens, underscores) and explicitly prevent path separators (`/`, `..`). This validation must occur immediately after `FROM` is extracted from the untrusted message.	LLM	SKILL.md:230
CRITICAL	Command Injection via untrusted IV in openssl decryption command The `IV` field, extracted from an untrusted received message, is directly interpolated into the `openssl enc -iv` command. If `IV` contains shell metacharacters (e.g., `$(command)`), it could lead to arbitrary command execution on the host system during message decryption. Sanitize `IV` to ensure it contains only valid hexadecimal characters. Avoid direct shell interpolation of untrusted data into command arguments. Instead, pass `IV` as a separate, validated argument or use a method that does not involve shell interpretation.	LLM	SKILL.md:244
HIGH	Command Injection via untrusted TARGET_AGENT in KDF salt generation The user-provided `TARGET_AGENT` variable is directly interpolated into an `echo -e` command, which is then piped to `sort`. If `TARGET_AGENT` contains shell metacharacters (e.g., `$(command)` or backticks), it could lead to arbitrary command execution on the host system during the key derivation function (KDF) salt generation. Use `printf %s` instead of `echo -e` for untrusted input to prevent interpretation of shell metacharacters. Ensure `TARGET_AGENT` is sanitized to contain only safe characters before being used in shell commands.	LLM	SKILL.md:159
HIGH	Command Injection via untrusted THEIR_X25519 in dead drop calculation The `THEIR_X25519` value, which is read from a contact file (potentially manipulated by an attacker via path traversal, see related finding), is directly interpolated into an `echo -e` command. If `THEIR_X25519` contains shell metacharacters, it could lead to arbitrary command execution during the dead drop location calculation. This represents a chained vulnerability. Sanitize `THEIR_X25519` to contain only safe characters before use, or use `printf %s` instead of `echo -e`. Implement robust validation for contact file content to prevent malicious data from being stored and subsequently used.	LLM	SKILL.md:190
MEDIUM	Potential Command Injection via untrusted MESSAGE in echo -n The user-provided `MESSAGE` is passed to `echo -n`. While `echo -n` is generally safer than plain `echo`, it can still be vulnerable if `MESSAGE` starts with a hyphen (e.g., `-e`) which `echo` might interpret as an option, or if it contains command substitutions (e.g., `$(command)`). This could lead to unintended command execution or behavior. Use `printf %s "$MESSAGE"` instead of `echo -n "$MESSAGE"` to prevent interpretation of `MESSAGE` as `echo` options or command substitutions. This is a more robust way to pass literal string data to a pipe.	LLM	SKILL.md:170

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/617a9fb9ad1df12c.svg)](https://skillshield.io/report/617a9fb9ad1df12c)