Security Audit

sundial-org/awesome-openclaw-skills:skills/app-store-changelog

github.com/sundial-org/awesome-openclaw-skills

AI SkillCommit 6d998e005da6

CAUTION

Scanned 27 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

sundial-org/awesome-openclaw-skills:skills/app-store-changelog received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Shell command injection via unvalidated script arguments.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Shell command injection via unvalidated script arguments The `scripts/collect_release_changes.sh` script constructs a `range` variable from user-provided arguments (`since_ref` and `until_ref`). This `range` variable is then directly used in `git log` commands without proper validation or sanitization. An attacker could inject arbitrary shell commands by crafting malicious values for `since_ref` or `until_ref` (e.g., `v1.0.0; rm -rf /; #`), leading to arbitrary code execution on the host system. Validate `since_ref` and `until_ref` to ensure they are valid git references and do not contain shell metacharacters before using them in commands. A robust solution would be to use `git rev-parse --verify "$arg"` to check argument validity and reject any invalid input. Additionally, ensure all variables used in shell commands are properly quoted, e.g., `git log ... "${range}"`, although direct shell injection through argument content remains a risk if not validated.	Static	scripts/collect_release_changes.sh:25

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/46a06579b0826242.svg)](https://skillshield.io/report/46a06579b0826242)