Security Audit

WilsonLiu95/openclaw-skills:skills/openclaw-toolbox

github.com/WilsonLiu95/openclaw-skills

AI SkillCommit dacc554a65f5

CRITICAL

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

WilsonLiu95/openclaw-skills:skills/openclaw-toolbox received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 20 findings: 9 critical, 8 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 8, 2026 (commit dacc554a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

8 findings

Filesystem Write

15 findings

Shell Execution

13 findings

Dynamic Code

1 finding

Excessive Permissions

16 findings

Security Findings20

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:148
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:313
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:314
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:316
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:320
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:321
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:323
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:339
CRITICAL	Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:148
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:313
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:314
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:316
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:320
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:321
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:323
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:339
HIGH	Supply Chain Risk: Ambiguous 'codex' Package Installation The setup script attempts to install a global npm package named 'codex'. On the public npm registry, 'codex' is an abandoned package (last updated ~9 years ago) unrelated to modern AI tools. In the context of installing AI CLIs (Claude, Gemini), this generic name is likely a mistake or a target for typosquatting/dependency confusion. Installing it executes arbitrary code via lifecycle scripts. Verify the intended package name. If referring to a specific tool, use the scoped package name (e.g., @org/codex) or the correct CLI package name. Remove 'codex' if it is not required.	Unknown	scripts/setup.sh:145
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/backup-now.sh:65
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Unknown	/tmp/skillscan-clone-jczz7k9m/repo/skills/openclaw-toolbox/scripts/setup.sh:149
MEDIUM	Command Injection via Unsafe .env Parsing The `load_env_file` function parses `.env` files and exports variables using `export "$key=$value"`. In Bash, double-quoted strings undergo command substitution. If the `.env` file contains malicious values (e.g., `KEY=$(malicious_command)`), the command will be executed immediately upon export. This allows arbitrary code execution if the `.env` file is compromised or sourced from an untrusted repository. Avoid using `export` on unvalidated strings from files. If the `.env` file is trusted, `source` it directly. If not, use a stricter parser that prevents shell expansion (e.g., reading line by line and validating content before assignment, or using single quotes for assignment if possible, though `export` makes this difficult in pure Bash).	Unknown	scripts/backup-now.sh:58

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3906ff843150a48d.svg)](https://skillshield.io/report/3906ff843150a48d)