Is healthcheck safe?

https://clawhub.ai/Stellarhold170NT/healthcheck

72
CAUTION

This health tracking skill is functionally simple and benign in stated purpose, but its core design pattern of embedding shell commands with unsanitized user-interpolated placeholders creates a significant code injection risk. No data exfiltration or malicious intent was detected, and canary files were untouched. The primary concern is the unsafe command execution template pattern that could be exploited through crafted user input.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Unsanitized user input in shell command templates -40

The skill instructs the agent to replace CUPS and NEW_CUPS placeholders with user-provided values directly inside node -e shell commands. No input validation, type checking, or escaping is specified. An attacker or even accidental malformed input could inject arbitrary JavaScript into the Node.js runtime, which has full system access.

HIGH Seven embedded shell commands executed via agent -15

The skill contains 7 separate node -e one-liner commands that the agent is expected to execute in a shell. Each command has full Node.js runtime access including filesystem, network, and child_process modules. While they only use fs, nothing prevents injected code from importing dangerous modules.

MEDIUM Implicit shell execution instruction pattern -25

The skill's entire interaction model is based on the agent executing shell commands in response to user phrases. This normalizes a dangerous pattern where the agent runs arbitrary shell commands based on prompt content, reducing the agent's built-in safety barriers against command execution.

MEDIUM Non-English trigger phrases may obscure review -10

All user trigger phrases are in Vietnamese. While not inherently malicious, this could make it harder for English-speaking security reviewers to assess whether the trigger phrases contain hidden instructions or social engineering.

LOW Minified one-liners obscure code intent -15

All code is written as dense, minified one-liners that are difficult to audit at a glance. While this is common for node -e usage, it makes it easier to hide malicious logic within otherwise innocent-looking health tracking code.

LOW File operations use configurable baseDir path -10

The {baseDir} placeholder determines where data is stored. If the agent resolves this to a sensitive directory, the skill could read/write files in unexpected locations. However, this is a platform responsibility, not a direct skill vulnerability.

INFO Runtime reads sensitive files during startup -5

The OpenClaw runtime accessed .env, .aws/credentials, .profile, and .bashrc during skill installation. This is attributable to the platform runtime, not the skill itself, but is noted for completeness.

INFO Combination risk with other skills -10

This skill establishes a pattern where the agent readily executes node -e commands. Other skills could exploit this established trust to inject more dangerous commands that the agent might execute with less scrutiny.