Security Audit
sundial-org/awesome-openclaw-skills:skills/agent-chronicle
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/agent-chronicle received a trust score of 0/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 5 critical, 6 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Command Injection via Pandoc Output Path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/agent-chronicle/scripts/export.py:54 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/agent-chronicle/scripts/export.py:116 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/agent-chronicle/scripts/export.py:127 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/agent-chronicle/scripts/export.py:151 | |
| CRITICAL | Command Injection via Pandoc Output Path The `scripts/export.py` script uses `subprocess.run` to invoke `pandoc`. The `--output` argument, which is directly controlled by user input, is passed as part of the `pandoc` command line. Pandoc is known to parse its output filename for additional options. An attacker can inject arbitrary pandoc options, including Lua filters for code execution, by crafting a malicious output path (e.g., `--output 'report.pdf --lua-filter /tmp/evil.lua'`). This allows for arbitrary code execution on the host system. Sanitize the `output_path` argument to ensure it contains only a valid file path and no pandoc options. A robust solution involves validating the path and explicitly separating all pandoc options from the output file path in the `subprocess.run` call, ensuring no user input is directly concatenated into the options list. | Static | scripts/export.py:140 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_pandoc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/agent-chronicle/scripts/export.py:54 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'export_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/agent-chronicle/scripts/export.py:116 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'export_html'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/agent-chronicle/scripts/export.py:151 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'export_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/agent-chronicle/scripts/export.py:127 | |
| HIGH | Command Injection via Pandoc Metadata in Diary Entries The `scripts/export.py` script combines user-controlled diary entries into a temporary markdown file (`.temp_diary.md`) which is then processed by `pandoc`. If an attacker can inject content into a diary entry (e.g., via interactive mode or direct file manipulation), they can embed pandoc-specific YAML metadata blocks (e.g., `--- lua-filter: /tmp/evil.lua ---`). Pandoc will parse and execute these options, leading to arbitrary code execution on the host system. Implement strict sanitization or validation of diary entry content to prevent the injection of pandoc-specific metadata or other executable directives. Alternatively, configure pandoc to disable features like Lua filters when processing untrusted input, or use a markdown parser that does not interpret such metadata as executable commands. | Static | scripts/export.py:109 | |
| HIGH | Arbitrary File Write Location via User-Configured Diary Path During the setup process (`scripts/setup.py`), the user is prompted to configure the `diary_path`. If the user provides a path outside the intended skill directory (e.g., `../../../../etc/`), the script will attempt to create directories and write files (`quotes.md`, `curiosity.md`, etc.) to this arbitrary location. If the skill is executed with elevated privileges (e.g., as root, as suggested by `get_workspace_root` checking `/root/clawd`), this could lead to overwriting sensitive system files, data tampering, or denial of service by filling up critical disk space. Validate the `diary_path` provided by the user to ensure it is a relative path within the skill's designated memory directory or a strictly controlled absolute path. Prevent writing to sensitive system directories. For example, resolve the path and check if it falls within an allowed base directory before proceeding with file operations. | Static | scripts/setup.py:105 |
Scan History
Embed Code
[](https://skillshield.io/report/9e25b794e522906b)
Powered by SkillShield