Trust Assessment
wyoming-clawdbot received a trust score of 59/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Untrusted user input passed directly to external LLM command, Potential data exfiltration via LLM response due to prompt injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Untrusted user input passed directly to external LLM command The `_call_clawdbot` function constructs a command to execute `clawdbot` using `asyncio.create_subprocess_exec`. The `text` variable, which originates from untrusted user input (voice commands via Wyoming Protocol `Transcript.text`), is directly inserted as the value for the `--message` argument. This allows an attacker to craft malicious input that could manipulate the behavior of the `clawdbot` AI assistant (e.g., by injecting new instructions, data exfiltration prompts, or other adversarial prompts), leading to prompt injection against the downstream LLM. Implement robust input validation and sanitization for `transcript.text` before passing it to the `clawdbot` command. If `clawdbot` is an LLM, consider using a dedicated LLM API with structured input rather than command-line arguments, or ensure the LLM itself has strong prompt injection defenses. If command-line execution is necessary, ensure the `clawdbot` application properly escapes or sanitizes its `--message` argument to prevent both prompt and potential command injection. | LLM | wyoming_clawdbot.py:100 | |
| HIGH | Potential data exfiltration via LLM response due to prompt injection The skill passes untrusted user input (`transcript.text`) directly to the `clawdbot` AI assistant. If an attacker successfully performs a prompt injection (as described in SS-LLM-001), they could instruct `clawdbot` to reveal sensitive information (e.g., system files, environment variables, internal configuration). The `_call_clawdbot` function captures the `stdout` of the `clawdbot` process and returns it as `response_text` to the Home Assistant client, effectively exfiltrating any data `clawdbot` is coerced into revealing. Address the underlying prompt injection vulnerability by sanitizing user input before passing it to `clawdbot`. Additionally, implement output filtering or redaction mechanisms to prevent sensitive information from being returned in `clawdbot`'s responses, even if it is coerced into revealing it. | LLM | wyoming_clawdbot.py:100 | |
| MEDIUM | Unpinned Python dependency version Requirement 'wyoming>=1.5.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/vglafirov/wyoming-clawdbot/requirements.txt:1 | |
| MEDIUM | Untrusted user input passed to external command, potential for command injection The `_call_clawdbot` function executes an external `clawdbot` command with user-controlled input (`transcript.text`) as an argument. While `asyncio.create_subprocess_exec` with a list of arguments mitigates direct shell injection, if the `clawdbot` program itself processes its `--message` argument in an unsafe manner (e.g., by internally using `eval()` or `os.system()` with the message content), it could lead to command injection within the `clawdbot` application. Beyond sanitizing for prompt injection, ensure that the `clawdbot` application itself is hardened against command injection vulnerabilities when processing its arguments, especially user-provided text. If `clawdbot` is under the developer's control, review its argument parsing and processing logic. | LLM | wyoming_clawdbot.py:100 | |
| LOW | Unpinned dependency version The `requirements.txt` specifies `wyoming>=1.5.0`, which allows for any version greater than or equal to 1.5.0. This can lead to non-deterministic builds and potentially introduce vulnerabilities or breaking changes if newer versions of the `wyoming` library are installed that have not been tested with this skill. Pin the exact version of `wyoming` (e.g., `wyoming==1.5.0`) to ensure reproducible builds and prevent unexpected issues from future updates. Regularly review and update dependencies. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/7ec3c3632b2d964c)
Powered by SkillShield