Skill Trust Decision
task-progress-stream
The skill executes arbitrary shell commands through user-controlled input without declaring shell:WRITE capability in SKILL.md, representing a significant undeclared privilege escalation vector.
Most direct threat evidence
01
User invokes skill with --cmd parameter initialization · scripts/task_progress_stream.js
02
Arbitrary command passed to /bin/bash -lc without validation Escalation · scripts/task_progress_stream.js
03
Attacker can run: curl|bash from external source, pip install malicious packages, or access system resources Impact · scripts/task_progress_stream.js
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User invokes skill with --cmd parameter
initialization · scripts/task_progress_stream.js:265
02
Arbitrary command passed to /bin/bash -lc without validation
Escalation · scripts/task_progress_stream.js:285
03
Attacker can run: curl|bash from external source, pip install malicious packages, or access system resources
Impact · scripts/task_progress_stream.js:285
What drove the risk score up
Undeclared shell execution capability +30
SKILL.md does not declare that arbitrary commands can be executed via --cmd parameter
Arbitrary command injection risk +25
User-provided --cmd is passed directly to /bin/bash -lc without validation
Privilege escalation via skill context +10
Skill runs commands in the context of the AI agent's permissions
Most important evidence
High Priv Escalation
Undeclared shell command execution
The skill accepts a --cmd parameter that is passed directly to /bin/bash without any validation or sanitization. This allows execution of arbitrary shell commands, which is not declared in SKILL.md's allowed tools or capability model.
scripts/task_progress_stream.js:285 Declare shell:WRITE capability in SKILL.md metadata, or restrict to specific safe commands, or implement command allowlisting.
High Priv Escalation
No command validation or sanitization
The user-supplied command string is executed verbatim through bash -lc without any checks for dangerous operations (pip install, curl|bash, etc.).
scripts/task_progress_stream.js:285 Implement input validation or use spawn with argument array instead of shell evaluation to prevent command injection.
Medium Doc Mismatch
Filesystem write operations not declared
The skill writes status JSON, Markdown, and log files to a configurable outDir but this filesystem:WRITE usage is not documented.
scripts/task_progress_stream.js:234 Document filesystem:WRITE usage in SKILL.md or use a temporary directory with auto-cleanup.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
scripts/task_progress_stream.js:285 - spawn('/bin/bash', ['-lc', cmd]) Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/task_progress_stream.js:279-281 - creates outDir and status files Network Pass
Declared NONE
→ Inferred NONE
openclaw gateway call is local IPC only Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 528 lines
JavaScript 1 files · 473 linesMarkdown 1 files · 55 lines
Files of concern · 1
scripts/task_progress_stream.js Undeclared shell command execution · No command validation or sanitization · Filesystem write operations not declared
Other files · SKILL.md
Security positives
No credential harvesting - script does not read API keys, tokens, or passwords
No data exfiltration - only local IPC with openclaw gateway, no external network requests
No obfuscation - code is readable JavaScript without base64 or eval() tricks
No malicious dependencies - no package.json with untrusted packages
Progress parsing is legitimate functionality as documented