Security Audit

write-plan

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

write-plan received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Skill attempts to inject instructions into host LLM from untrusted context.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Skill attempts to inject instructions into host LLM from untrusted context The `SKILL.md` file, which is explicitly designated as untrusted input, contains direct imperative instructions for the host LLM's behavior, workflow, and interaction patterns. This violates the security boundary that dictates untrusted content should be treated as data, not commands. The skill attempts to dictate subsequent actions, conditional logic, file write operations (e.g., 'saved to `memory/plans/<filename>.md`'), and even skill invocations ('Use dispatch-multiple-agents skill') from within the untrusted context. This is a direct prompt injection attempt by the skill itself, aiming to control the LLM's execution flow. Skill definitions should be declarative and describe capabilities, not contain imperative instructions for the LLM's runtime behavior within the untrusted content block. The LLM's orchestration logic should be external to the skill's untrusted definition. If the skill needs to guide the LLM's behavior, it should do so through structured outputs that the LLM's trusted orchestrator can interpret, rather than direct natural language instructions embedded in untrusted documentation. The manifest or a separate trusted configuration should define how the LLM interacts with the skill's output.	LLM	SKILL.md:48

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/61567d42ac0ef7d8.svg)](https://skillshield.io/report/61567d42ac0ef7d8)