Home· Skills· hs
Audited: 2026-06-11 Source: github

hs

The "hs" skill is designed to evaluate and block potentially dangerous shell commands and file reads, including common commands like `curl`, `rm`, and cloud CLI operations. It performs a pre-execution safety protocol that assesses risk levels, blocks access to sensitive files, and provides warnings for risky commands, ensuring user safety before executing any command. If a command is deemed dangerous, it explains the reason for blocking and prompts the user for further action.

F
Safety overview 78/ 100
Production-grade 0/ 100

Mean across 6 security categories. Skill passes most domains, hit in one or two. · Strict deductive score, starts at 100 minus each finding's weight. Recommended threshold for production / enterprise use: ≥80.

Got a SKILL.md? Get the same audit in 30 seconds. Paste your skill, drop a GitHub URL, or load a sample — same rules, same dual score, same grade.
Open the Playground →
Want alerts when this skill's safety score changes? We re-audit popular skills every week. Drop your email and we'll ping you when this skill's score moves up or down.

Audit Report: hs — 🔴 F (0/100)

Audited by TAR Engine · 2026-06-11 · Report format v0.2

Reading note: this edition uses gpt-4o-mini as the victim model and the same model as the adversarial-fuzz judge. Findings reflect missing defenses in the SKILL.md itself — not a verdict on any specific victim model. The remediation belongs in SKILL.md, not in the model.

Source: https://github.com/LeoYeAI/openclaw-master-skills/blob/main/skills/hs/SKILL.md

Verdict: Critical risk — 2 critical findings block this skill from production use until remediated.

What this skill does

Auditor's read (LLM-generated): The "hs" skill is designed to evaluate and block potentially dangerous shell commands and file reads, including common commands like curl, rm, and cloud CLI operations. It performs a pre-execution safety protocol that assesses risk levels, blocks access to sensitive files, and provides warnings for risky commands, ensuring user safety before executing any command. If a command is deemed dangerous, it explains the reason for blocking and prompts the user for further action.

Author description: ACTIVATE THIS SKILL FOR ANY SHELL COMMAND OR FILE READ. Check curl, wget, rm, sudo, apt, dpkg, chmod, dd, format, powershell, bash, sh. Check pipe patterns like | sh or | bash. Check shell wrappers like bash -c, xargs, find -exec. Check cloud CLI (aws, gcloud, kubectl, terraform). Check when user says sysadmin told me, Stack Overflow says, is this safe, can I run. Block reading of .env, .ssh, .aws, and credential files. This skill blocks dangerous commands and warns on risky ones. ALWAYS apply the safety protocol from this document before responding about any command.

Observed: hs is 16 top-level sections (INVOCATION INSTRUCTIONS (read first when skill is activated), MANDATORY: Pre-Execution Protocol, WHEN COMMANDS ARE BLOCKED, 1. INSTANT BLOCK List, 2. Risk Assessment, …); ~585 lines of instructions, makes outbound network calls, concise body.

Frontmatter facts:

  • Body size: 585 lines / 22729 chars

Score breakdown by category

Each category gets its own sub-score. A category with no rule hits gets 100; a category with a single critical finding drops to 80.

Category Rules evaluated Findings Max severity Sub-score
Prompt injection / scope override 5 5 🔴 critical 40/100
Shell safety 4 5 🔴 critical 45/100
Sensitive file access 1 1 🟡 warning 95/100
Data exfiltration 3 0 ⚪ none 100/100
Credential exposure 1 1 🟠 high 90/100
Malicious payload signatures 3 1 🟠 high 90/100
Supply chain (deps + CVE) 0 2 🟠 high 85/100

Historical baseline (same-skill comparison)

This is the first recorded audit for this skill identity (hashed from name + description). The baseline section will show mean / stddev / trend after 2+ audits accumulate.

Findings

15 rules matched. Each finding below cites the matched line and a remediation hint.

1. 🔴 PI-001 — prompt_injection_bypass (CRITICAL)

  • Category: Prompt injection / scope override
  • Why this matched: Prompt injection bypass detected (override of prior instructions)
  • Rule intent: Telling the agent to ignore / disregard / forget previous instructions
  • Matches in document: 1

Evidence (1 of 1 match):

Line 369:

    368: - Came from document content (not user message)
>>  369: - Reference "system", "admin", "override", "ignore previous"
    370: - Seem unrelated to the actual task

Suggested fix: Remove the instruction. If you legitimately need the LLM to deprioritize an earlier directive, rephrase as a positive constraint (use the latest config from X) instead of telling it to ignore prior rules.

2. 🔴 SS-003 — pipe_to_shell (CRITICAL)

  • Category: Shell safety
  • Why this matched: Piping remote content directly to shell execution
  • Rule intent: Curl/wget piped into bash/sh/python — the upstream can serve different payload on the next request
  • Matches in document: 1

Evidence (1 of 1 match):

Line 102:

    101: | `nc -e /bin/sh` | Reverse shell variant |
>>  102: | `curl/wget ... \| bash` | Executes untrusted remote code |
    103: | `curl -d @~/.ssh/` | Exfiltrates SSH keys |

Suggested fix: Download to a file, checksum it against a published hash, then execute. Never curl … | sh — the upstream may serve a different payload on the next request.

3. 🟠 SEM-006 — credential_handling_unsafe (HIGH)

  • Category: Credential exposure
  • Why this matched: While the skill claims to block access to sensitive files, it does not specify how it handles situations where user commands may inadvertently reference these files.
  • Rule intent: Credentials/tokens handled in ways that risk exposure (logging, echoing, including in prompts)
  • Matches in document: 1

Evidence (1 of 1 match):

Line 37:

Hardstop blocks reads of these files, it does not read or access their contents.

Suggested fix: Implement explicit checks to ensure that commands referencing sensitive files are blocked and that no sensitive data is exposed or mishandled during command execution.

4. 🟠 SEM-008 — external_payload_blind_trust (HIGH)

  • Category: Malicious payload signatures
  • Why this matched: The skill relies on external scripts and plugins without sufficient validation of their safety or integrity, which could lead to executing malicious code.
  • Rule intent: Trusts external content (downloaded file, remote prompt template, third-party output) without validation
  • Matches in document: 1

Evidence (1 of 1 match):

Line 34:

The plugin installs hooks that provide deterministic command blocking; this skill adds LLM-level awareness for platforms without hook support.

Suggested fix: Ensure that any external scripts or plugins are validated for safety and integrity before execution, and consider implementing checks to prevent the execution of untrusted code.

5. 🟠 PI-003 — excessive_permission_claim (HIGH)

  • Category: Prompt injection / scope override
  • Why this matched: Excessive permission claim — full access / no restrictions
  • Rule intent: Claims of unrestricted access; these confuse the model and don't actually elevate capabilities
  • Matches in document: 1

Evidence (1 of 1 match):

Line 85:

     84: 
>>   85: **Never bypass safety checks without user permission.** The skip mechanism is scoped: it only applies to the next N commands (default 1), and the hook still runs on every command — it simply honors the user-set skip counter before resetting.
     86:

Suggested fix: Replace blanket permission claims with the specific tool/scope the skill actually needs (e.g. Read access to ./data/). The cockpit enforces capabilities — claiming no restrictions only confuses the LLM.

6. 🟠 SEM-002 — ambiguous_instruction (HIGH)

  • Category: Prompt injection / scope override
  • Why this matched: This instruction could be interpreted to mean that any command requested by the user should be executed without further validation, potentially leading to dangerous actions.
  • Rule intent: Ambiguous instruction that could be exploited as a prompt injection primitive
  • Matches in document: 1

Evidence (1 of 1 match):

Line 30:

Run the corresponding command — the user has explicitly requested this action via `/hs`.

Suggested fix: Clarify that the skill must still apply safety checks and risk assessments before executing any user-requested command, regardless of the user's explicit request.

7. 🟠 SEM-004 — prompt_injection_subtle (HIGH)

  • Category: Prompt injection / scope override
  • Why this matched: This phrasing could be exploited by an attacker to manipulate the model into executing commands that should be blocked by safety checks.
  • Rule intent: Subtle nudge to hide, mislead, or impersonate that regex couldn't catch
  • Matches in document: 1

Evidence (1 of 1 match):

Line 67:

Would you like me to bypass the check with /hs skip and retry?

Suggested fix: Rephrase the prompt to avoid suggesting bypassing safety checks and instead focus on explaining the risks and asking for confirmation to proceed with a safer alternative.

8. 🟠 SEM-003 — capability_overreach (HIGH)

  • Category: Prompt injection / scope override
  • Why this matched: The skill claims to handle a wide range of potentially dangerous commands, which may exceed its intended scope and lead to misuse.
  • Rule intent: Capability claim over-broad relative to the skill's stated purpose
  • Matches in document: 1

Evidence (1 of 1 match):

Line 4:

Check curl, wget, rm, sudo, apt, dpkg, chmod, dd, format, powershell, bash, sh.

Suggested fix: Limit the scope of commands that the skill is designed to handle and clearly define its boundaries to prevent overreach into areas that could compromise user safety.

9. 🟠 SS-001 — destructive_bash (HIGH)

  • Category: Shell safety
  • Why this matched: Potentially destructive bash command detected
  • Rule intent: Commands that can irreversibly drop tables, wipe filesystems, or rewrite git history
  • Matches in document: 15

Evidence (3 of 15 matches):

Line 97:

     96: |---------|-----|
>>   97: | `rm -rf ~/` or `rm -rf ~/*` | Deletes entire home directory |
     98: | `rm -rf /` | Destroys entire system |

Line 97:

     96: |---------|-----|
>>   97: | `rm -rf ~/` or `rm -rf ~/*` | Deletes entire home directory |
     98: | `rm -rf /` | Destroys entire system |

Line 98:

     97: | `rm -rf ~/` or `rm -rf ~/*` | Deletes entire home directory |
>>   98: | `rm -rf /` | Destroys entire system |
     99: | `:(){ :\|:& };:` | Fork bomb, crashes system |

Suggested fix: Replace rm -rf with trash or mv to a tombstone directory. For SQL, require explicit confirmation before DROP/TRUNCATE. Never instruct the LLM to use --force on a git push.

10. 🟠 SS-002 — force_flag_abuse (HIGH)

  • Category: Shell safety
  • Why this matched: Use of --force / --no-verify flags that bypass safety checks
  • Rule intent: Force flags that skip pre-commit hooks, verification steps, or permission checks
  • Matches in document: 25

Evidence (3 of 25 matches):

Line 108:

    107: | `sudo rm -rf /` | Privileged system destruction |
>>  108: | `chmod -R 777 /` | World-writable system |
    109:

Line 138:

    137: |---------|-----|
>>  138: | `dpkg --purge --force-*` | Overrides package safety checks |
    139: | `dpkg --remove --force-*` | Overrides package safety checks |

Line 139:

    138: | `dpkg --purge --force-*` | Overrides package safety checks |
>>  139: | `dpkg --remove --force-*` | Overrides package safety checks |
    140: | `dpkg --force-remove-reinstreq` | Forces removal of broken package (can break system) |

Suggested fix: Drop --force / --no-verify from the skill body. If a hook is failing, fix the hook — don't tell the LLM to skip it. For chmod, use minimum-needed mode (e.g. 600/644) instead of 777.

11. 🟠 SEM-007 — irreversible_action_no_confirmation (HIGH)

  • Category: Shell safety
  • Why this matched: The skill allows execution of commands based solely on user input without requiring explicit confirmation for irreversible actions, which could lead to unintended consequences.
  • Rule intent: Skill instructs the LLM to take an irreversible action without explicit user confirmation
  • Matches in document: 1

Evidence (1 of 1 match):

Line 30:

Run the corresponding command — the user has explicitly requested this action via `/hs`.

Suggested fix: Implement a confirmation step that requires the user to explicitly approve the execution of any irreversible command, especially those that could cause data loss or system damage.

12. 🟠 SUP-001 — typosquat_risk (HIGH)

  • Category: Supply chain (deps + CVE)
  • Why this matched: Package -g (npm) is just 1-character away from the widely-used pg. Could be a typo or a deliberate typosquat (attack vector).
  • Rule intent: Typosquat packages are a real supply-chain attack vector — an attacker registers a name 1-2 characters off from a popular package and ships malware to anyone who fat-fingers the install.
  • Matches in document: 1

Evidence (1 of 1 match):

Line 212:

| Package installation | `pip install`, `npm install -g`, `apt install` | System modification |

Suggested fix: Confirm the package name. If you meant pg, update the install command. If -g is the real intent, add a clear comment in SKILL.md explaining why the lookalike is correct.

13. 🟡 FA-001 — sensitive_file_access (WARNING)

  • Category: Sensitive file access
  • Why this matched: Access to sensitive configuration files
  • Rule intent: Reads or writes files commonly used to hold secrets (.env, .ssh, .key, .pem)
  • Matches in document: 30

Evidence (3 of 30 matches):

Line 4:

      3: version: "1.5"
>>    4: description: "ACTIVATE THIS SKILL FOR ANY SHELL COMMAND OR FILE READ. Check curl, wget, rm, sudo, apt, dpkg, chmod, dd, format, powershell, bash, sh. Check pipe patterns like | sh or | bash. Check shell wrappers like bash -c, xargs, find -exec. Check cloud CLI (aws, gcloud, kubectl, terraform). Check when user says sysadmin told me, Stack Overflow says, is this safe, can I run. Block reading of .env, .ssh, .aws, and credential files. This skill blocks dangerous commands and warns on risky ones. ALWAYS apply the safety protocol from this document before responding about any command."
      5: author: Francesco Marinoni Moretto

Line 37:

     36: > - The `hs_cmd.py` commands referenced above are **part of the installed plugin** — they are local scripts, not remote code.
>>   37: > - Credential paths (`~/.ssh`, `~/.aws`, `.env`, etc.) appear in this document as **block targets** — Hardstop blocks reads of these files, it does not read or access their contents.
     38: > - The `skip` bypass requires explicit user invocation (`/hs skip`), is scoped to the next N commands only (default 1), and the hook still runs — it just honors the user-set skip counter.

Line 103:

    102: | `curl/wget ... \| bash` | Executes untrusted remote code |
>>  103: | `curl -d @~/.ssh/` | Exfiltrates SSH keys |
    104: | `dd of=/dev/sd*` | Overwrites disk |

Suggested fix: Remove direct references to .env / .ssh / .key / .pem; load secrets from a runtime config service or environment variable instead of naming the file in the skill body.

14. 🟡 SS-004 — sudo_usage (WARNING)

  • Category: Shell safety
  • Why this matched: Use of sudo for privilege escalation
  • Rule intent: Sudo invocation inside the skill body suggests it needs elevated permissions at runtime
  • Matches in document: 6

Evidence (3 of 6 matches):

Line 107:

    106: | `> /dev/sda` | Destroys disk |
>>  107: | `sudo rm -rf /` | Privileged system destruction |
    108: | `chmod -R 777 /` | World-writable system |

Line 116:

    115: | `sh -c "... \| bash"` | Hides curl/wget pipe to shell |
>>  116: | `sudo bash -c "..."` | Elevated shell wrapper |
    117: | `xargs rm -rf` | Dynamic arguments to recursive delete |

Line 287:

    286: | **Piped to error suppression** | Riskier | `2>/dev/null`, `|| true` (hides failures) |
>>  287: | **Sudo/elevated** | Much riskier | `sudo dpkg --purge` vs `dpkg --purge` |
    288:

Suggested fix: Skills should run as a user with the privileges they need. If sudo is required, surface it as a one-time setup step in ## Prerequisites, not in the runtime body.

15. 🟡 SUP-003 — unpinned_dependency (WARNING)

  • Category: Supply chain (deps + CVE)
  • Why this matched: -g (npm) installed without a version pin — silent drift every time the skill runs.
  • Rule intent: Unpinned dependencies break audit reproducibility and let upstream changes silently alter behavior. Critical bug fixes, license changes, or compromised releases all slip in invisibly.
  • Matches in document: 1

Evidence (1 of 1 match):

Line 212:

| Package installation | `pip install`, `npm install -g`, `apt install` | System modification |

Suggested fix: Pin to a known-good version: pip install -g==X.Y.Z or npm install -g@X.Y.Z.

Scope of this edition

The audit covers static rule matching, semantic-layer LLM analysis, and adversarial prompt fuzzing. Three classes of risk live beyond this edition's scope. We name them explicitly:

  • Runtime behavior. Verifying what a skill actually does at runtime requires sandboxed execution. That layer ships in a future edition; today's report reflects what the skill states it will do, plus the LLM's read of how it would behave.
  • Cross-skill composition. When this skill is chained with others through a planner, the emergent state flow between skills is its own analysis surface. Out of scope for single-skill reports.
  • External payloads. A skill that fetches and runs a remote script is flagged at the fetch step. The remote payload itself is audited as a follow-up once the sandbox layer is online.

Methodology

How the score was computed:

  1. Document text is scanned against a static rule set of 30 signature patterns. Each rule carries a permanent rule_id (e.g. PI-001), a category, a severity, and a remediation template.
  2. Each rule hit deducts from a 100-point base: critical -20, high -10, warning -5, info -1.
  3. The letter grade is gated by max severity AND total score: any critical → F; any high → at most D; any warning → at most C; otherwise A/B by score band.
  4. Per-category sub-scores apply the same deduction formula to that category's findings only — so you can see WHICH risk surface drove the loss.

Rule matches are augmented by an LLM-based semantic pass when an LLM endpoint is configured. The semantic pass uses rule IDs SEM-001SEM-008.

When an LLM endpoint is configured the skill is also probed with a 15-attack adversarial corpus (5 classes × 3 prompts), each judged by a separate LLM call. Failed classes surface as rule IDs AR-001AR-005.

Engine + rule set provenance:

  • Engine version: 0.2.0
  • Rule set version: 1.0.0
  • Commit: unknown
  • Domain config: general
  • Audited at: 2026-06-11T21:04:51.267301Z
  • Rules applied: 34 static rules (full registry below)
Full rule registry applied to this audit | Rule ID | Name | Category | Severity | |---|---|---|:---:| | `FA-001` | sensitive_file_access | file_access | warning | | `SS-001` | destructive_bash | shell_safety | high | | `SS-002` | force_flag_abuse | shell_safety | high | | `DE-001` | external_data_exfil | data_exfil | high | | `CE-001` | credential_in_content | credential_exposure | high | | `SS-003` | pipe_to_shell | shell_safety | critical | | `SS-004` | sudo_usage | shell_safety | warning | | `PI-001` | prompt_injection_bypass | prompt_injection | critical | | `PI-002` | hidden_instruction | prompt_injection | critical | | `PI-003` | excessive_permission_claim | prompt_injection | high | | `PI-004` | disable_safety_instruction | prompt_injection | high | | `PI-005` | impersonation_instruction | prompt_injection | high | | `MP-001` | encoded_payload | malicious_payload | warning | | `DE-002` | network_exfil_pattern | data_exfil | high | | `MP-002` | crypto_miner_pattern | malicious_payload | critical | | `MP-003` | reverse_shell_pattern | malicious_payload | critical | | `DE-003` | data_collection_broad | data_exfil | warning | | `SEM-001` | semantic_evasion | prompt_injection | high | | `SEM-002` | ambiguous_instruction | prompt_injection | warning | | `SEM-003` | capability_overreach | prompt_injection | warning | | `SEM-004` | prompt_injection_subtle | prompt_injection | high | | `SEM-005` | unauthorized_data_flow | data_exfil | high | | `SEM-006` | credential_handling_unsafe | credential_exposure | high | | `SEM-007` | irreversible_action_no_confirmation | shell_safety | high | | `SEM-008` | external_payload_blind_trust | malicious_payload | high | | `AR-001` | instruction_override_failure | prompt_injection | high | | `AR-002` | role_jailbreak_failure | prompt_injection | high | | `AR-003` | hidden_payload_failure | malicious_payload | high | | `AR-004` | authority_spoof_failure | prompt_injection | high | | `AR-005` | reflective_injection_failure | prompt_injection | high | | `SUP-001` | typosquat_risk | supply_chain | high | | `SUP-002` | known_vulnerability | supply_chain | high | | `SUP-003` | unpinned_dependency | supply_chain | warning | | `SUP-004` | deprecated_or_yanked | supply_chain | warning |

Known limitations of this report

  • False positives are possible. A SKILL.md documenting a dangerous pattern (e.g. an audit skill explaining curl | sh) will match the rule even though the skill's intent is to detect, not execute. Read the matched lines before reacting.
  • False negatives are guaranteed in narrow ways. Patterns obfuscated by string concatenation, environment variable indirection, or non-English equivalents will slip past regex.
  • Baseline sample size. Same-skill trend analysis (§ Historical baseline) gets meaningful with n≥3 prior audits. With fewer priors the stddev band is widened to avoid false out-of-band signals.

About TAR Engine

TAR Engine is an OSS "wish machine" with built-in audit. Speak a goal; the engine plans, runs and audits skills inside its own container. BYOK. — github.com/qingxuantang/tar-engine