Security Audit

x-to-kindle

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

x-to-kindle received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 1 low severity. Key findings include Node lockfile missing, Arbitrary file read and exfiltration via email.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Arbitrary file read and exfiltration via email The `send_to_kindle.py` script is designed to take a `file_path` as a command-line argument (`sys.argv[1]`). It then opens and reads the content of this arbitrary file, attaching it to an email sent to the configured `KINDLE_EMAIL`. If the LLM is compromised, an attacker could instruct the skill to read any readable file on the filesystem (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, sensitive configuration files) and exfiltrate its contents to the `KINDLE_EMAIL` address. This violates the principle of least privilege, as the skill's primary purpose is to send formatted X/Twitter posts, not arbitrary system files. 1. Restrict File Access: Modify `send_to_kindle.py` to only accept file paths within a designated, secure temporary directory (e.g., `/tmp/skill_x_to_kindle/`) or to only accept files that the skill itself has generated and explicitly marked as safe to send. 2. Input Validation: Implement strict validation on the `file_path` argument to prevent path traversal (`../`) and ensure it points to an expected file type or location. 3. Principle of Least Privilege: The `send_to_kindle` tool should ideally not expose an arbitrary `file_path` argument directly to the LLM. Instead, the LLM should call a higher-level function that generates the content and then internally calls `send_to_kindle.py` with the path to the securely generated file.	LLM	send_to_kindle.py:37
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/brianlu365ai/x-to-kindle/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1c5f2f5db739274d.svg)](https://skillshield.io/report/1c5f2f5db739274d)