Skill Trust Decision
promptbuddy
Skill is documentation-only with no implementation files, yet declares execution of an external Python script that doesn't exist in the package, creating an unverified execution vector.
Most direct threat evidence
01
User installs skill expecting prompt optimization Entry · SKILL.md
02
Attacker places malicious script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py preparation · SKILL.md
03
Skill executes external Python script on every user input Execution · SKILL.md
Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs skill expecting prompt optimization
Entry · SKILL.md:1
02
Attacker places malicious script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py
preparation · SKILL.md:8
03
Skill executes external Python script on every user input
Execution · SKILL.md:8
04
Malicious script can exfiltrate data, execute arbitrary code, or harvest credentials
Impact · ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py
What drove the risk score up
Undeclared external script execution +20
SKILL.md instructs execution of scripts/smart_engine.py but no such file exists in the package
No implementation code present +15
Package contains only documentation; actual behavior comes from unverifiable external source
No permission declarations +10
No allowed-tools section or declared resource access
Global forced execution scope +5
Claims to run on every user input with broad operational scope
Most important evidence
High Doc Mismatch
Missing Implementation Files
The skill declares execution of 'scripts/smart_engine.py' but this script does not exist in the package. Users install this skill expecting prompt optimization, but the actual behavior depends entirely on an external script at ~/.openclaw/workspace/skills/promptbuddy/scripts/smart_engine.py that could be replaced with arbitrary code.
SKILL.md:8 Either include the script in the package with integrity verification, or remove this skill until proper bundling is implemented.
Medium Priv Escalation
Undeclared Shell Execution
The skill instructs the AI agent to execute shell commands (python3) without declaring shell:WRITE in any allowed-tools section. This is hidden functionality that operates outside the declared capability model.
SKILL.md:8 Declare shell:WRITE permission explicitly if shell execution is required, or remove the execution requirement.
Medium Sensitive Access
Hardcoded Framework Path Access
The skill references a specific framework installation path (~/.openclaw) without declaring filesystem access to this path. This path could contain sensitive configuration or user data.
SKILL.md:8 Declare filesystem:READ permission for the required paths, or use a sandboxed execution environment.
Low Doc Mismatch
No declared allowed-tools section
The SKILL.md lacks a standard 'allowed-tools' section that would declare required permissions. According to the capability model, this should map Bash to shell:WRITE.
SKILL.md:1 Add a proper allowed-tools declaration at the top of SKILL.md.
Declared capability vs actual capability
Shell Pass
Declared NONE
→ Inferred WRITE
SKILL.md: Executes 'python3 scripts/smart_engine.py' without declaring shell:WRITE permission Filesystem Pass
Declared NONE
→ Inferred READ
SKILL.md: References ~/.openclaw/workspace/skills/promptbuddy path without permission declaration Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 145 lines
Markdown 1 files · 145 lines
Files of concern · 1
SKILL.md Missing Implementation Files · Undeclared Shell Execution · Hardcoded Framework Path Access · No declared allowed-tools section
Security positives
No malicious code directly present in the package
No credential harvesting observed
No network exfiltration detected in documentation
No base64-encoded payloads or obfuscation techniques found