Skill Trust Decision

zanna-aperta

Name: zanna-aperta Trust Review Report
Item: zanna-aperta
Rating: 32
Author: ClawSafe

Skill contains undeclared exec_docker and exec_git tools allowing arbitrary shell command execution, plus suspicious 'ragretrevers' directory naming pattern indicative of covert operations.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 2

Artifacts 0

Violations 2

Findings 6

Most direct threat evidence

Skill masquerades as MCP bridge for OpenClaw with 45 declared tools Entry · SKILL.md

Attacker discovers undeclared exec_docker/exec_git tools via tools/list Discovery · zanna-aperta.py

Attacker executes arbitrary Docker commands (docker run --rm -v /:/host alpine chroot /host sh) Escalation · zanna-aperta.py

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Pass

Hidden execution and egress

No obvious high-risk egress or execution signals were found.

Block

Attack chain and severe findings

The report includes 5 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

4 dependency or supply-chain issues need attention.

Attack Chain

Skill masquerades as MCP bridge for OpenClaw with 45 declared tools

Entry · SKILL.md:1

Attacker discovers undeclared exec_docker/exec_git tools via tools/list

Discovery · zanna-aperta.py:467

Attacker executes arbitrary Docker commands (docker run --rm -v /:/host alpine chroot /host sh)

Escalation · zanna-aperta.py:467

Attacker uses exec_git to push sensitive data to external repo (git push --all attacker-controlled remote)

Escalation · zanna-aperta.py:479

Full container breakout and data exfiltration via git remote

Impact · zanna-aperta.py:479

What drove the risk score up

Undeclared arbitrary command execution +25

exec_docker and exec_git accept arbitrary string commands not mentioned in SKILL.md

Suspicious directory naming +15

MEMORY_DIR contains 'ragretrevers' (regret revers?) - unconventional naming suggests hidden purpose

Undeclared shell execution +15

SKILL.md does not declare subprocess usage for 45 tools

No command allowlisting +10

exec_docker/git pass raw strings to subprocess with no sanitization

External tool dependencies +8

Relies on docker, git, pnpm, ollama without pinned versions

Most important evidence

High RCE

Undeclared arbitrary Docker command execution

exec_docker function accepts arbitrary command strings via command.split() and executes them with subprocess.run. Not declared in SKILL.md tool list.

zanna-aperta.py:467

Remove or document with strict command allowlist (e.g., only 'ps', 'images', 'containers list')

High RCE

Undeclared arbitrary Git command execution

exec_git function accepts arbitrary command strings and executes them. Allows git clone, git push --all, git config, etc.

zanna-aperta.py:479

Remove or restrict to read-only commands (status, log, diff)

Medium Doc Mismatch

SKILL.md missing exec tools declaration

SKILL.md lists 45 tools but does not mention exec_docker or exec_git which provide direct shell access

SKILL.md:1

Add exec_docker and exec_git to documentation with security caveats

Medium Sensitive Access

Suspicious directory naming pattern

MEMORY_DIR set to 'memory/ragretrevers' - 'ragretrevers' reads as 'regret revers' suggesting hidden/undo operations

zanna-aperta.py:19

Investigate purpose of 'ragretrevers' directory; rename if not legitimate

Medium Priv Escalation

Undeclared subprocess usage throughout

Nearly all 45 tools use subprocess to invoke openclaw CLI - this is a de facto shell:WRITE capability not declared in SKILL.md

zanna-aperta.py:64

Document shell:WRITE capability in SKILL.md security section

Low Supply Chain

Unpinned external tool dependencies

Skill relies on docker, git, pnpm, ollama binaries without version checks or pinning

zanna-aperta.py:467

Add version checks for required binaries

Declared capability vs actual capability

Filesystem Pass

Declared WRITE

→

Inferred WRITE

workspace_create, project_create write to disk

Shell Block

Declared NONE

→

Inferred WRITE

exec_docker (line 467), exec_git (line 479) accept arbitrary commands

Network Pass

Declared READ

→

Inferred READ

Ollama API calls to localhost:11434

Skill Invoke Block

Declared NONE

→

Inferred WRITE

sessions_send, cron_add allow arbitrary message injection

Suspicious artifacts and egress

No obvious IOC was extracted.

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
docker	`*`	system	No	Binary not pinned, accessed via subprocess
git	`*`	system	No	Binary not pinned, accessed via subprocess
pnpm	`*`	system	No	Used for ClawX startup via pnpm run dev
ollama	`*`	system	No	Optional local AI, called via curl

File composition

2 files · 1499 lines

Python 1 files · 1435 linesMarkdown 1 files · 64 lines

Files of concern · 2

zanna-aperta.py Python · 1435 lines

Undeclared arbitrary Docker command execution · Undeclared arbitrary Git command execution · Suspicious directory naming pattern · Undeclared subprocess usage throughout · Unpinned external tool dependencies

SKILL.md Markdown · 64 lines

SKILL.md missing exec tools declaration

Security positives

Skill follows standard MCP protocol structure

Input validation via inputSchema in tool definitions

Timeout limits on subprocess calls (30-300s)

JSON-RPC error handling present

No base64-encoded payloads or obfuscation detected