Is healthcheck safe?

https://clawhub.ai/skill/healthcheck

62
CAUTION

This health tracking skill contains a critical command injection vulnerability: user input is interpolated directly into node -e shell commands without any sanitization. While the skill's stated purpose is benign (tracking water and sleep), the implementation pattern of executing inline Node.js via shell commands with unsanitized user input creates a serious code execution risk. No malicious intent was detected in clone behavior or canary monitoring, but the unsafe coding pattern makes this skill dangerous in practice.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (7)

CRITICAL Command injection via unsanitized user input in node -e commands -55

The skill instructs the agent to substitute raw user input (CUPS, NEW_CUPS) directly into node -e inline JavaScript commands. There is no input validation, sanitization, or escaping. An attacker can craft input that breaks out of the intended numeric context and executes arbitrary JavaScript/shell commands. For example, a user providing '2});require("child_process").execSync("malicious_command");({cups:0' as the CUPS value would execute arbitrary code.

HIGH Skill directs agent to execute shell commands from user-triggered phrases -30

The skill establishes a pattern where specific user phrases (in Vietnamese) trigger the agent to execute predefined shell commands. This conditions the agent to run arbitrary shell commands based on conversational triggers, which is an unsafe behavioral pattern. The agent is essentially being instructed to be a command execution proxy triggered by natural language.

HIGH Multiple executable inline Node.js commands embedded in skill -10

The skill contains 7 distinct node -e one-liner commands covering add, update, delete, and view operations. Each is a fully executable shell command that the agent is expected to run. While the commands themselves only interact with a JSON file, the sheer number of executable code blocks increases attack surface and normalizes the agent executing shell commands.

MEDIUM Vietnamese-language triggers may obscure skill behavior for non-Vietnamese users -15

All trigger phrases are in Vietnamese (uống X cốc, đi ngủ, thức dậy, thống kê). Non-Vietnamese-speaking users who install this skill may not understand when or why the agent is executing shell commands, reducing their ability to oversee agent behavior.

LOW JSON data file created in baseDir with health information -15

The skill creates a health-data.json file containing water intake and sleep patterns with timestamps. While this is the intended functionality, this health data could be sensitive PII. The file is stored in plaintext with no access controls.

INFO Clean installation with expected network activity only -10

Installation monitoring shows only expected behavior: mDNS traffic, DNS resolution, HTTPS connection to what appears to be the clawhub.ai registry (216.150.1.1:443), and standard system processes (gdm, gnome-session, etc.).

MEDIUM Skill normalizes direct shell execution pattern for trivial functionality -60

A simple health tracker could be implemented entirely through file read/write tools without shell execution. The choice to use node -e shell commands for JSON file manipulation is unnecessarily dangerous and sets a precedent for the agent to execute shell commands freely. This could lower the agent's resistance to executing shell commands from other, potentially malicious, sources.