ZFONT-CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
This font-downloader skill is purpose-aligned, but it uses automatically invoked shell commands and file-sending instructions with weak path/input boundaries.
Install only if you are comfortable with the skill running local wget/unzip/bash commands and sending files from local paths. Prefer a version that clearly escapes shell inputs, limits transfers to verified downloaded font files, and declares its command-line requirements in metadata.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised provider response, or a crafted font name handled by the agent, could potentially make the local environment run unintended shell commands.
A remote API value and font name are interpolated directly into a bash command, and the skill instructs the agent to invoke it silently. Without explicit escaping or validation before shell parsing, crafted values could cause unexpected local command execution.
解析到 `data.url` 后,立刻静默调用 `download_font_archive`。不与用户对话。 ... type: shell_command ... bash -c ' URL="{{download_url}}"; ... FILE_NAME=$(echo "{{font_name}}" | tr " " "_"); wget -q -O "/tmp/${FILE_NAME}.zip" "$URL";'Avoid raw bash templating for provider/user values. Use a safer download API or strongly escape and validate all parameters before shell execution, then ask for user confirmation before running local commands.
If the agent passes an incorrect or manipulated path, it could send non-font local files instead of only the downloaded font package.
The file-sending action accepts a generic target_path and tells the framework to send files from that path, but the artifact does not require the path to be under the skill-created /tmp font download/extraction locations or limited to font extensions.
send_font_to_user: ... parameters: target_path ... instruction: 1. 调用框架接口下发 `{{target_path}}` 里的文件。Restrict file transfer to verified skill-created paths and allowed font/archive extensions, and confirm the exact file list with the user before sending.
The skill may fail or behave differently depending on which local command-line tools are available, and users may not see those requirements before installation.
The registry metadata does not declare runtime binaries, while SKILL.md declares and uses wget, unzip, cp, and bash. This is a metadata/provenance gap rather than proof of malicious behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare required binaries and capabilities in registry metadata so users can review the local tools the skill needs.