Skill Trust Decision
skill-factory
The skill uses undeclared shell execution, hardcoded suspicious paths, and remote npx code fetching without version pinning or integrity checks, with a doc-to-code mismatch on permissions.
Most direct threat evidence
01
Skill masquerades as a legitimate OpenClaw tooling via SKILL.md Entry · SKILL.md
02
Executes shell commands through undeclared execSync calls Escalation · scripts/factory.js
03
Runs remote npm package via npx @latest without pinning — fetches arbitrary code from the internet supply_chain · scripts/factory.js
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Skill masquerades as a legitimate OpenClaw tooling via SKILL.md
Entry · SKILL.md:1
02
Executes shell commands through undeclared execSync calls
Escalation · scripts/factory.js:161
03
Runs remote npm package via npx @latest without pinning — fetches arbitrary code from the internet
supply_chain · scripts/factory.js:170
04
References suspicious hardcoded path /opt/homebrew/lib/node_modules/... suggesting platform-specific targeting
Escalation · scripts/factory.js:163
05
User-controlled slug input could be exploited for path traversal to write outside skills/public/
Escalation · scripts/factory.js:53
What drove the risk score up
Undeclared shell execution via execSync +20
SKILL.md does not declare subprocess/child_process usage
Remote script fetch via npx @latest +15
npx clawhub@latest fetches and executes unversioned remote code without integrity check
Hardcoded suspicious path +15
References /opt/homebrew/lib/node_modules/.../package_skill.py — a planted or platform-specific path not declared anywhere
Doc-to-code capability mismatch +10
Inferred filesystem:WRITE and network:READ not reflected in SKILL.md documentation
Workspace-based file write escalation +8
Skill writes to skills/public/<slug>/ with user-controlled slug from arbitrary description input
Most important evidence
High RCE
Undeclared shell command execution via execSync
The script uses child_process.execSync to run arbitrary shell commands (python3 and npx) without declaring shell execution capability in SKILL.md. This is the highest-value doc-to-code mismatch signal.
scripts/factory.js:161 Declare shell:WRITE in the skill's allowed-tools. If shell execution is not a core feature, refactor to use Node.js stdlib only (e.g., fs for packaging).
High Obfuscation
Suspicious hardcoded path referencing /opt/homebrew/
A hardcoded absolute path /opt/homebrew/lib/node_modules/openclaw/skills/skill-creator/scripts/package_skill.py is used. This path pattern (/opt/homebrew) suggests macOS Homebrew targeting and is not declared in SKILL.md. It could be a planted backdoor path or a platform-specific dependency that may not exist.
scripts/factory.js:163 Replace hardcoded path with a configurable one or use a stdlib-only approach. If this is a legitimate dependency, declare it in a requirements/package.json.
High Supply Chain
Remote code execution via npx @latest without version pinning
The publish function runs 'npx clawhub@latest publish' which fetches and executes remote npm code without a pinned version or hash verification. This is equivalent to curl|bash for the npm ecosystem — a critical supply chain risk.
scripts/factory.js:170 Pin to a specific version (e.g., [email protected]) or verify the package integrity with a checksum. Document the expected clawhub CLI version.
Medium Doc Mismatch
SKILL.md does not declare any allowed-tools or capability permissions
The SKILL.md frontmatter is missing allowed-tools declarations. The code uses filesystem:WRITE, shell:WRITE, and network:READ+EXECUTE, but SKILL.md declares none of these. This is a clear doc-to-code mismatch.
SKILL.md:1 Add allowed-tools declaration to frontmatter listing Read and Bash (or equivalent) with justification for why each is needed.
Medium Sensitive Access
Arbitrary slug creation from user input could lead to path traversal
The slugify() function converts a user-provided description into a directory name without sanitization for path traversal. While slugify removes non-alphanumeric chars, a crafted input like '../../../etc/cron.d' could write outside the intended skills/public/ directory.
scripts/factory.js:53 Validate the generated slug stays within the skills/public/ boundary. Add path traversal checks after slugification.
Low Supply Chain
No dependency pinning — zero stdlib-only constraint in package metadata
SKILL.md states the factory 'uses the LLM as the engine' but does not declare npm/node dependencies. The script uses only Node.js stdlib (fs, path, child_process), which is good, but no package.json or requirements.txt exists to lock the environment.
scripts/factory.js:1 Create a package.json pinning Node.js engine version. Ensure execSync calls reference only trusted, declared tools.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/factory.js:122 fs.mkdirSync(...); scripts/factory.js:130 fs.writeFileSync(...) Network Block
Declared NONE
→ Inferred READ+EXECUTE
scripts/factory.js:170 execSync('npx clawhub@latest publish...'); scripts/factory.js:163 execSync('python3 /opt/homebrew/...') Shell Block
Declared NONE
→ Inferred WRITE
scripts/factory.js:161 execSync('python3 ...'); scripts/factory.js:170 execSync('npx clawhub@latest ...') Environment Block
Declared NONE
→ Inferred READ
scripts/factory.js:14 process.env.WORKSPACE; scripts/factory.js:15 process.env.CLAWHUB_TOKEN implied by npx login Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| npx (clawhub@latest) | * (unpinned) | npm remote | No | Remote code execution — no version pinning, no hash verification |
| python3 skill-creator | unpinned | /opt/homebrew/lib/node_modules/openclaw/... | No | Hardcoded path, not declared, platform-specific |
File composition
2 files · 380 lines
JavaScript 1 files · 274 linesMarkdown 1 files · 106 lines
Files of concern · 2
scripts/factory.js Undeclared shell command execution via execSync · Suspicious hardcoded path referencing /opt/homebrew/ · Remote code execution via npx @latest without version pinning · Arbitrary slug creation from user input could lead to path traversal · No dependency pinning — zero stdlib-only constraint in package metadata
SKILL.md SKILL.md does not declare any allowed-tools or capability permissions
Security positives
No base64-encoded strings or obfuscated code found in the implementation
No credential harvesting or environment variable exfiltration detected
No hardcoded IP addresses or external C2 communication endpoints found
No cron/persistence mechanisms or startup hooks detected
Script uses Node.js stdlib for core logic (fs, path) — no external npm dependencies needed for scaffolding