Back to skill

Security audit

LEIO SDLC

Security checks across malware telemetry and agentic risk

Overview

The skill is a real SDLC automation framework, but it gives agents broad code, Git, deployment, external-sync, hook, and service-restart authority that is not fully bounded or disclosed in the main skill instructions.

Install only if you are comfortable giving this skill authority to spawn agents, edit and commit code, create and delete branches, merge reviewed changes, write run artifacts, send OpenClaw messages, and perform deployment actions. Before use, review deploy.sh, kit-deploy.sh, orchestrator.py, and config/prompts.json; disable or remove GitHub auto-sync, git hook installation, and gateway restart behavior if you do not explicitly want them. Run it only in repositories you control, with trusted environment variables and CLI arguments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (173)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[{role or 'system'}] Invoking agent driver: {' '.join(cmd)}")
        
        for attempt in range(3):
            result = subprocess.run(cmd, capture_output=True, text=True)
            if result.returncode == 0:
                print(result.stdout)
                if return_output:
Confidence
89% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
diff_file = os.path.join(args.run_dir, "current_arbitration.diff")
    diff_cmd = f"git diff {args.diff_target} --no-color > {diff_file}"
    subprocess.run(diff_cmd, shell=True)

    task_string = build_prompt("arbitrator",
        workdir=workdir,
Confidence
99% confidence
Finding
subprocess.run(diff_cmd, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not args.override_diff_file:
        diff_cmd = f"git diff {args.diff_target} --no-color > {diff_file}"
        subprocess.run(diff_cmd, shell=True)
            
        baseline_file = os.path.join(args.run_dir, "baseline_commit.txt")
        if os.path.exists(baseline_file):
Confidence
99% confidence
Finding
subprocess.run(diff_cmd, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            history_depth = max(5, pr_num)
            history_cmd = f"git log -n {history_depth} -p {args.diff_target} > {os.path.join(args.run_dir, 'recent_history.diff')}"
        subprocess.run(history_cmd, shell=True)
        
    guardrail_violation = check_guardrails(workdir, pr_content, [os.path.join(workdir, diff_file)])
    if guardrail_violation:
Confidence
99% confidence
Finding
subprocess.run(history_cmd, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Run orchestrator cleanup
        orchestrator_path = "/root/.openclaw/workspace/projects/leio-sdlc/scripts/orchestrator.py"
        res = subprocess.run([
            "python3", orchestrator_path, 
            "--workdir", td, 
            "--prd-file", "dummy.md",
Confidence
89% confidence
Finding
res = subprocess.run([ "python3", orchestrator_path, "--workdir", td, "--prd-file", "dummy.md", "--cleanup", "--enable-exec-from-w

subprocess module call

Medium
Category
Dangerous Code Execution
Content
fcntl.flock(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
        
        orchestrator_path = "/root/.openclaw/workspace/projects/leio-sdlc/scripts/orchestrator.py"
        res = subprocess.run([
            "python3", orchestrator_path, 
            "--workdir", td, 
            "--prd-file", "dummy.md",
Confidence
89% confidence
Finding
res = subprocess.run([ "python3", orchestrator_path, "--workdir", td, "--prd-file", "dummy.md", "--cleanup", "--enable-exec-from-w

Tainted flow: 'cmd' from os.environ.get (line 91, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
print(f"[{role or 'system'}] Invoking agent driver: {' '.join(cmd)}")
        
        for attempt in range(3):
            result = subprocess.run(cmd, capture_output=True, text=True)
            if result.returncode == 0:
                print(result.stdout)
                if return_output:
Confidence
95% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Tainted flow: 'run_dir' from os.environ.get (line 100, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
if test_mode:
        run_dir = os.environ.get("SDLC_RUN_DIR", ".")
        os.makedirs(os.path.join(run_dir, "tests"), exist_ok=True)
        with open(os.path.join(run_dir, "tests", "auditor_task_string.log"), "w") as f:
            f.write(task_string)
        if "REJECT" in os.environ.get("MOCK_AUDIT_RESULT", ""):
            output = '{"status": "REJECTED", "comments": "Mock rejected"}'
Confidence
91% confidence
Finding
with open(os.path.join(run_dir, "tests", "auditor_task_string.log"), "w") as f:

Tainted flow: 'run_dir' from os.environ.get (line 43, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
import json
        run_dir = os.environ.get("SDLC_RUN_DIR", ".")
        os.makedirs(os.path.join(run_dir, "tests"), exist_ok=True)
        with open(os.path.join(run_dir, "tests", "verifier_task_string.log"), "w") as f:
            f.write(task_string)
            
        mock_result = os.environ.get("MOCK_VERIFIER_RESULT", '{"status": "PASS", "executive_summary": "Mock passed", "verification_details": []}')
Confidence
91% confidence
Finding
with open(os.path.join(run_dir, "tests", "verifier_task_string.log"), "w") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes meaningful capabilities (environment access, file read/write, and shell execution) but does not declare permissions, which weakens transparency and policy enforcement for downstream agents. In this context, the runbook explicitly directs the agent to launch local automation and manipulate project state, so undeclared capabilities materially increase the risk of unauthorized or poorly understood actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill claims its only purpose is to force use of orchestrator.py for SDLC changes, but the described behavior encompasses deployment, rollback, GitHub sync, notifications, git operations, project repair/scaffolding, testing, and multiple standalone launchers. This mismatch is dangerous because it hides the true attack surface and can cause an agent or user to authorize a much broader set of side effects than the description suggests.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The deployment script performs an automatic GitHub synchronization after deployment, which goes beyond a local SDLC/deployment role and can exfiltrate repository contents to an external service without explicit user consent at execution time. In this skill context, the manifest says work must flow through the orchestrator, so adding outbound sync in the deploy path increases the blast radius from local deployment to external publication.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Restarting the OpenClaw gateway is a privileged environment-control action unrelated to simple file deployment and can affect other skills, sessions, or users on the host. In this skill's context, the script is supposed to enforce SDLC workflow, so coupling deployment with service restarts makes the skill more dangerous by allowing operational side effects outside the project boundary.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script changes Git configuration by setting core.hooksPath to .sdlc_hooks, which alters repository behavior and can cause arbitrary hook code to run on future Git operations. Given the skill's strict SDLC positioning, silently changing hook execution paths broadens control over developer workflows and persists beyond the immediate deployment action.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script performs direct deployment rollback actions by moving production directories, extracting backup tarballs into the live skills path, and restarting the gateway, rather than constraining changes through the declared orchestrator-only SDLC path. In a skill whose metadata explicitly says all code modification and lifecycle actions must go through orchestrator.py, this creates an alternate privileged control path that weakens governance and can be abused to bypass expected review, validation, or audit steps.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The script directly issues `openclaw gateway restart`, granting the skill operational control over a broader service than simple local rollback. That expands the blast radius from file restoration to service availability and creates a capability that is not clearly necessary for a template skill advertised as enforcing SDLC orchestration, making misuse or accidental disruption more dangerous.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template explicitly authorizes the main agent to directly generate and write PRD content, which conflicts with the skill metadata claiming work must only proceed through orchestrator.py. This weakens the declared control boundary, creates policy inconsistency, and can be used to justify out-of-band file modifications that bypass the orchestrated workflow and its review/audit gates.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The governance file instructs the main agent to create issue and PRD files directly, despite the skill description asserting that code changes, bug fixes, and feature implementation must only occur via the orchestrator. In a security-sensitive agent environment, contradictory instructions are dangerous because they normalize bypass behavior and erode enforcement of the trusted execution path.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This template expands the skill's authority from SDLC orchestration into deployment, runtime rollback, release management, and environment recovery operations. That broader operational scope materially increases risk because an agent following these instructions could affect live systems and installed skills, not just the development workflow described in the manifest.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file directs execution of deployment shell commands such as deploy.sh and gateway restart operations, which go beyond a narrowly described orchestrator-only SDLC role. Embedding operational command authority in a governance template can enable unintended or unauthorized changes to live environments under the guise of normal process compliance.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description says code changes must be performed only via this skill's orchestrator, yet the handoff prompt instructs the manager to invoke an external issue-tracker script directly from another skill path. That creates a policy and trust-boundary violation: the agent is being granted operational authority outside the declared SDLC orchestration path, which can bypass orchestration controls, auditing, and scope restrictions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt explicitly grants the manager the ability to execute `~/.openclaw/skills/issue_tracker/scripts/issues.py`, which is a separate skill capability unrelated to the stated SDLC-only purpose. In this context, that broadens the agent's effective privileges and introduces unnecessary cross-skill execution paths that could be abused to perform unauthorized workflow actions or evade intended separation of duties.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The deployment script performs an additional external synchronization step to a separate GitHub-related skill after deployment. That expands the skill's effective authority beyond local SDLC deployment into outbound code propagation, which can leak source or trigger unintended changes in another system without explicit operator consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script silently changes repository configuration by setting core.hooksPath to .sdlc_hooks, which causes future Git operations to execute hook code from this repository. Because hooks can run arbitrary commands, this creates a persistent code-execution mechanism that is broader than ordinary deployment and can surprise users or downstream agents.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically restarts the OpenClaw gateway as the final step, giving the skill operational control over a running service. In the context of an SDLC skill, that is an elevated side effect because it can interrupt workloads, force newly deployed behavior live immediately, and hide the boundary between code deployment and service administration.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
docs/PRDs/PRD_043_CWD_Guardrail.md:32