Security Audit

herobrine

github.com/aaarnv/claude-skills

AI SkillCommit e47452f4f173

CRITICAL

Scanned 14 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

herobrine received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 37 findings: 14 critical, 15 high, 6 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, File read + network send exfiltration, Sensitive environment variable access: $HOME.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on June 1, 2026 (commit e47452f4). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

12 findings

Filesystem Write

29 findings

Shell Execution

22 findings

Dynamic Code

7 findings

Excessive Permissions

29 findings

Security Findings37

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	herobrine/scripts/manage-agent.sh:101
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:36
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:39
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:40
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:41
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:42
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:49
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:84
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:90
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:97
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:103
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:109
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	herobrine/SKILL.md:129
CRITICAL	Command Injection via Agent Name in `manage-agent.sh` The `manage-agent.sh` script constructs file paths and command arguments using the user-provided agent `NAME` without proper sanitization. Specifically, `launchctl unload/load` and `rm -f` commands are vulnerable. An attacker can inject shell metacharacters into the `NAME` argument (e.g., `myagent; rm -rf /`) to execute arbitrary commands on the host system with the permissions of the skill. Sanitize the `NAME` variable to disallow shell metacharacters or ensure it is properly quoted when used in shell commands. A whitelist of allowed characters (e.g., alphanumeric, hyphens) is recommended. For `launchctl` and `rm`, ensure the `$PLIST_FILE` and `$NAME.json` are properly quoted or escaped.	Static	scripts/manage-agent.sh:107
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:36
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:39
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:40
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:41
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:42
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:49
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:84
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:90
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:97
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:103
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:109
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	herobrine/SKILL.md:129
HIGH	Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	herobrine/scripts/manage-agent.sh:101
HIGH	Command Injection via `cd` to unsanitized `WORK_DIR` in `run-agent.sh` The `run-agent.sh` script changes directory to `WORK_DIR` (`cd "$WORK_DIR"`). The `WORK_DIR` value is read from the agent's JSON configuration file, which was created by `manage-agent.sh` without proper JSON string escaping for this field. If an attacker can control the `directory` field in the JSON (e.g., via JSON injection in `manage-agent.sh`), they can inject shell metacharacters into `WORK_DIR` (e.g., `$(rm -rf /)`) leading to arbitrary command execution. Ensure that all user-provided values written to the agent's JSON configuration file are properly JSON-escaped. Additionally, validate `WORK_DIR` for shell metacharacters before using it in `cd`.	Static	scripts/run-agent.sh:40
HIGH	Prompt/Tool Argument Injection via `DELIVERY_CHAT` in `run-agent.sh` The `DELIVERY_CHAT` variable, which is read from the agent's JSON configuration, is directly embedded into the prompt string that is passed to the Claude model. If an attacker can control the `delivery_chat` field in the JSON (e.g., via JSON injection in `manage-agent.sh`), they can inject arbitrary instructions or tool calls into the Claude model's prompt. This could lead to the LLM executing unintended actions, including arbitrary tool invocations (e.g., `/bash echo pwned`) due to the `--dangerously-skip-permissions` flag. Ensure that the `DELIVERY_CHAT` variable is strictly validated and sanitized to prevent injection of special characters or tool call syntax. It should only contain valid chat IDs. Alternatively, pass `DELIVERY_CHAT` as a separate, dedicated argument to the Claude model if the underlying `claude` tool supports it, rather than embedding it directly into the prompt.	Static	scripts/run-agent.sh:33
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	herobrine/SKILL.md:84
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	herobrine/scripts/manage-agent.sh:7
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	herobrine/scripts/run-agent.sh:8
MEDIUM	JSON Injection in `manage-agent.sh` when creating agent config When creating the agent's JSON configuration file (`$SCHEDULES_DIR/$NAME.json`), several user-provided variables (`NAME`, `SCHEDULE`, `DIRECTORY`, `MODEL`, `MAX_TURNS`, `DELIVERY_CHAT`) are directly inserted into the JSON string without proper escaping. Only `PROMPT` is escaped using `jq -Rs .`. An attacker can inject JSON metacharacters (e.g., `"`, `}`, `,`) into these fields to break the JSON structure, inject arbitrary key-value pairs, or potentially overwrite existing ones. This could lead to malformed configurations or enable other attacks like Prompt/Tool Argument Injection (via `DELIVERY_CHAT`) or Command Injection (via `directory`). All user-provided variables inserted into the JSON file should be properly JSON-escaped. The `jq -Rs .` method used for `PROMPT` should be applied to all string values (`NAME`, `DIRECTORY`, `MODEL`, `SCHEDULE`, `DELIVERY_CHAT`). Numeric values like `MAX_TURNS` should be validated to ensure they are indeed numbers.	Static	scripts/manage-agent.sh:20
MEDIUM	XML Injection in `manage-agent.sh` when creating launchd plist When constructing the launchd plist XML, the cron components (`CMIN`, `CHOUR`, `CDAY`, `CMONTH`, `CWDAY`) derived from the user-provided `SCHEDULE` are directly inserted into the XML structure without escaping. An attacker could inject XML metacharacters (e.g., `<`, `>`, `&`, `'`, `"`) into the `SCHEDULE` to create a malformed plist, potentially altering the intended schedule or other plist properties, or even injecting arbitrary XML content. Sanitize or escape all user-provided values (`CMIN`, `CHOUR`, etc.) before inserting them into the XML string. Ensure they only contain valid integer or '*' characters. A whitelist approach for cron schedule components is recommended.	Static	scripts/manage-agent.sh:46
MEDIUM	Path Traversal via Agent Name in `manage-agent.sh` and `run-agent.sh` The user-provided agent `NAME` is used directly to construct file paths for the agent's JSON configuration, launchd plist, and log files. If `NAME` contains path traversal sequences (e.g., `../`, `/`), an attacker could create or modify files outside the intended `~/.claude/agents/` or `~/Library/LaunchAgents/` directories. This could lead to unauthorized file creation, modification, or denial of service. Sanitize the `NAME` variable to disallow path separators (`/`) and path traversal sequences (`..`). A whitelist of allowed characters (e.g., alphanumeric, hyphens) is recommended for agent names.	Static	scripts/manage-agent.sh:30
LOW	Command Injection (AppleScript) via Agent Name in `run-agent.sh` The `AGENT_NAME` is directly embedded into the `osascript` commands used for macOS notifications. If `AGENT_NAME` contains AppleScript string delimiters (e.g., `"`) or other AppleScript metacharacters, it could lead to injection of arbitrary AppleScript commands, potentially displaying misleading notifications or executing other local actions. Escape or sanitize the `AGENT_NAME` variable before embedding it into the `osascript` command string. Specifically, double quotes within `AGENT_NAME` should be escaped (e.g., `\"`).	Static	scripts/run-agent.sh:46
LOW	Shell Injection (Globbing) via Agent Name in `manage-agent.sh` logs action In the `logs` action, the `NAME` variable is used directly in a glob pattern for `ls -t "$LOGS_DIR"/${NAME}_2.log`. If `NAME` contains shell globbing metacharacters (e.g., ``, `?`, `[`, `]`), an attacker could manipulate the `ls` command to list unintended files or trigger unexpected behavior. While `cat` then reads the result, this could still lead to information disclosure if the globbing is exploited to match sensitive files. Sanitize the `NAME` variable to prevent globbing characters, or use `find` with `-name` and proper quoting instead of `ls` with direct globbing.	Static	scripts/manage-agent.sh:130

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b2a77ac1b5cef61e.svg)](https://skillshield.io/report/b2a77ac1b5cef61e)