skill-composer Security Report — Low Risk | ClawSafe

15 /100

skill-composer

编排多个OpenClaw技能成自动化工作流，一次命令完成复杂任务

Skill Composer is a legitimate workflow orchestrator for OpenClaw skills with no malicious indicators; uses subprocess for documented skill invocation and restricted eval for condition evaluation.

Skill Nameskill-composer

Duration28.8s

Enginepi

✓

Safe to install

No immediate action required. Consider pinning PyYAML version in install.sh for supply chain hygiene.

Findings 2 items

Severity	Finding	Location
Low	Unpinned PyYAML dependency Supply Chain install.sh installs PyYAML without specifying a version, potentially pulling a compromised or incompatible future version `pip3 install --user PyYAML` → Pin version: pip3 install --user 'PyYAML>=5.4,<7.0'	`install.sh:21`
Low	Broad skill orchestration scope not prominently documented Doc Mismatch skill.json declares 'skills: [""]' allowing execution of any installed skill, which could enable chained attacks if one skill is compromised `"skills": [""]` → Document the '*' scope in SKILL.md with security considerations	`skill.json:28`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	source/composer.py:95 - subprocess.run(['claw', 'skill', 'exec', skill] + args)
Filesystem	`NONE`	`READ`	✓ Aligned	source/composer.py:51 - reads workflow YAML files
Network	`NONE`	`NONE`	—	No network requests observed

1 findings

🔗

Medium External URL 外部 URL

https://utopiabenben.github.io/ai-skills/

SKILL.md:207

File Tree

7 files · 19.1 KB · 703 lines

Python 1f · 241L Markdown 1f · 206L YAML 3f · 140L JSON 1f · 83L Shell 1f · 33L

├─ ▾ 📁 examples

│ ├─ 📋 content-creation-pipeline.yaml YAML 51L · 1.2 KB

│ ├─ 📋 video-processing-pipeline.yaml YAML 39L · 998 B

│ └─ 📋 weekly-stock-report.yaml YAML 50L · 1.1 KB

├─ ▾ 📁 source

│ └─ 🐍 composer.py Python 241L · 8.1 KB

├─ 🔧 install.sh Shell 33L · 926 B

├─ 📋 skill.json JSON 83L · 2.0 KB

└─ 📝 SKILL.md Markdown 206L · 4.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`PyYAML`	`>=5.4`	pip	No	Version not pinned in install.sh, but skill.json specifies >=5.4

Security Positives

✓ Uses yaml.safe_load() - safe YAML parsing

✓ eval() has restricted builtins: {"__builtins__": {}}

✓ No credential harvesting or environment variable enumeration

✓ No base64 encoding/decoding or obfuscation

✓ No external IP connections or data exfiltration

✓ subprocess only invokes local 'claw' command for skill execution

✓ No sensitive file path access (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or remote code execution indicators

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives