Security Audit
sundial-org/awesome-openclaw-skills:skills/anachb
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/anachb received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 0 critical, 7 high, 0 medium, and 0 low severity. Key findings include JSON Injection via unescaped shell variables in curl payload.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize or properly escape the `STATION_ID` variable before embedding it into the JSON string. For example, use `jq -n --arg id "$STATION_ID" '{"extId": $id, ...}'` to construct the JSON payload safely, or escape double quotes and backslashes in the shell variable. | LLM | departures.sh:20 | |
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize the `COUNT` variable to ensure it is a valid integer before embedding it into the JSON payload. Alternatively, use `jq -n --argjson count "$COUNT" '{"maxJny": $count, ...}'` to construct the JSON payload safely, ensuring `COUNT` is a valid JSON number. | LLM | departures.sh:21 | |
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize the `MAX_RESULTS` variable to ensure it is a valid integer before embedding it into the JSON payload. Alternatively, use `jq -n --argjson max_results "$MAX_RESULTS" '{"maxNum": $max_results, ...}'` to construct the JSON payload safely, ensuring `MAX_RESULTS` is a valid JSON number. | LLM | disruptions.sh:14 | |
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize or properly escape the `FROM_ID` variable before embedding it into the JSON string. For example, use `jq -n --arg id "$FROM_ID" '{"depLocL": [{"extId": $id, ...}], ...}'` to construct the JSON payload safely, or escape double quotes and backslashes in the shell variable. | LLM | route.sh:21 | |
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize or properly escape the `TO_ID` variable before embedding it into the JSON string. For example, use `jq -n --arg id "$TO_ID" '{"arrLocL": [{"extId": $id, ...}], ...}'` to construct the JSON payload safely, or escape double quotes and backslashes in the shell variable. | LLM | route.sh:22 | |
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize the `COUNT` variable to ensure it is a valid integer before embedding it into the JSON payload. Alternatively, use `jq -n --argjson count "$COUNT" '{"numF": $count, ...}'` to construct the JSON payload safely, ensuring `COUNT` is a valid JSON number. | LLM | route.sh:24 | |
| HIGH | JSON Injection via unescaped shell variables in curl payload User-controlled shell variables are directly interpolated into the JSON payload sent via `curl -d`. This allows an attacker to inject arbitrary JSON key-value pairs or modify existing ones by providing specially crafted input. This can lead to unexpected API behavior, information disclosure, or denial of service. Sanitize or properly escape the `QUERY` variable before embedding it into the JSON string. For example, use `jq -n --arg query "$QUERY" '{"loc": {"name": $query}, ...}'` to construct the JSON payload safely, or escape double quotes and backslashes in the shell variable. | LLM | search.sh:19 |
Scan History
Embed Code
[](https://skillshield.io/report/d4c6acdd5a1de4d7)
Powered by SkillShield