Skill Trust Decision
research-archive-query
Skill is a legitimate research archive query tool but has a significant doc-to-code mismatch: SKILL.md does not declare that it uses shell:WRITE via subprocess to invoke external scripts, and it depends on unsandboxed external scripts outside its own codebase.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared shell execution via subprocess +20
SKILL.md declares only filesystem:READ for output but code uses subprocess to invoke external scripts in unified_query.py, registry.py, and publish_skill.py
Dynamic import of external scripts without verification +10
Code imports from alphapai-scraper scripts via dynamic WORKSPACE_ROOT path, no integrity checks
Hardcoded external script paths +8
ALPHAPAI_QUERY_SCRIPT and KB_ENGINE_SCRIPT point to unsandboxed external scripts that could contain arbitrary code
No dependency pinning +5
No requirements.txt or pinned dependencies found
Legitimate tool design with benign intent +-10
No credential theft, data exfiltration to external IPs, or obfuscation observed
Most important evidence
Medium Doc Mismatch
Undeclared subprocess/shell execution
SKILL.md does not declare shell:WRITE capability. The skill uses subprocess.run() in unified_query.py (line 76), registry.py (via adapter commands), and publish_skill.py (line 58) to execute external CLI tools. This is a doc-to-code mismatch.
scripts/unified_query.py:76 Update SKILL.md to explicitly declare shell:WRITE for subprocess execution of archive query scripts.
Medium Supply Chain
Dynamic import from external workspace scripts
The skill imports run_ai_analysis and load_settings from alphapai-scraper scripts via dynamic path calculation (WORKSPACE_ROOT / 'skills/alphapai-scraper/scripts'). These external scripts are not bundled or verified.
scripts/unified_query.py:29 Either bundle required functions or verify script integrity before importing. Document the external dependency on alphapai-scraper.
Medium Doc Mismatch
Hardcoded external script paths with no integrity verification
registry.py hardcodes paths to ALPHAPAI_QUERY_SCRIPT and KB_ENGINE_SCRIPT pointing to scripts outside the skill's control. No checks verify these scripts haven't been tampered with.
scripts/registry.py:14 Add path existence checks or hash verification before executing external scripts.
Low Supply Chain
No dependency pinning
No requirements.txt, package.json, or Cargo.toml found. Python stdlib is used directly but third-party libraries like json, subprocess, pathlib are all built-in.
scripts/unified_query.py:1 Create a requirements.txt or pyproject.toml to pin any third-party dependencies.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
scripts/unified_query.py:29 - subprocess.run() Shell Block
Declared NONE
→ Inferred WRITE
scripts/registry.py:47 - subprocess via build_exact_command() Shell Block
Declared NONE
→ Inferred WRITE
scripts/publish_skill.py:58 - subprocess.run(clawhub) Filesystem Pass
Declared WRITE
→ Inferred WRITE
scripts/unified_query.py:59 - Path.write_text() for reports Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
7 files · 849 lines
Python 5 files · 754 linesMarkdown 1 files · 88 linesYAML 1 files · 7 lines
Files of concern · 2
scripts/unified_query.py Undeclared subprocess/shell execution · Dynamic import from external workspace scripts · No dependency pinning
scripts/registry.py Hardcoded external script paths with no integrity verification
Other files · adapter_template.py · publish_skill.py · SKILL.md · package_skill.py · openai.yaml
Security positives
No credential harvesting or sensitive path access observed
No base64 encoding, eval(), or obfuscation detected
No curl|bash or wget|sh remote script execution
No direct IP network requests or C2 communication
No hidden instructions in HTML comments or documentation
File writes are limited to a controlled output directory in ~/.openclaw/data/
subprocess is used for legitimate CLI tool invocation (alphapai-scraper, kb_engine, clawhub)