Trust Assessment
steve received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 0 critical, 5 high, 0 medium, and 0 low severity. Key findings include Automatic installation of skills based on user input, Automatic installation of external MCP servers, Broad `Skill(*)` and `Bash(*)` permissions configured in `settings.local.json`.
The analysis covered 4 layers: manifest_analysis, static_code_analysis, llm_behavioral_safety, dependency_graph. The static_code_analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 3572de0c). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Automatic installation of skills based on user input The skill instructs the agent to automatically search for and install skills using `npx skills add ... -y`. The search query for skills includes `"[project domain from user description]"`. This allows user-controlled input to influence which external skills are installed. A malicious user could craft a `project description` to cause the agent to install a skill from an untrusted source or a typosquatted package, leading to arbitrary code execution. The `-y` flag bypasses confirmation, making this process fully autonomous and risky. 1. Remove the use of `"[project domain from user description]"` in `npx skills find` to prevent prompt injection. 2. Require explicit user confirmation before installing any new skills, especially from external repositories, by removing the `-y` flag or introducing an `AskUserQuestion` step. 3. Consider whitelisting allowed skill repositories or specific skill names. | Unknown | SKILL.md:70 | |
| HIGH | Automatic installation of external MCP servers The skill instructs the agent to automatically install MCP servers using `npx -y @upstash/context7-mcp` and similar commands. This involves downloading and executing code from external npm packages without user confirmation. While the listed packages appear legitimate, this mechanism introduces a supply chain risk where a compromised package or a typosquatted package could lead to arbitrary code execution. The `-y` flag bypasses confirmation. 1. Require explicit user confirmation before installing any new MCP servers, especially those involving external npm packages, by removing the `-y` flag or introducing an `AskUserQuestion` step. 2. Consider whitelisting allowed MCP server packages and their versions. | Unknown | SKILL.md:91 | |
| HIGH | Broad `Skill(*)` and `Bash(*)` permissions configured in `settings.local.json` The skill instructs the agent to create or update `settings.local.json` with very broad permissions. `Skill(*)` allows the agent to invoke any installed skill, including potentially malicious ones installed via the supply chain risks identified above, creating a dangerous escalation path. `Bash(npm *)`, `Bash(python *)`, and `Bash(docker *)` are broad `Bash` permissions that allow the agent to execute almost any command starting with `npm`, `python`, or `docker`, significantly increasing the attack surface for command injection if the agent is later prompted to execute a malicious command. 1. Restrict `Skill(*)` to a specific whitelist of trusted skills or remove it entirely if not strictly necessary. 2. Narrow down `Bash(*)` permissions to the absolute minimum required commands and arguments. For example, instead of `Bash(npm *)`, use `Bash(npm install)`, `Bash(npm test)`, etc., with specific argument patterns if possible. | Unknown | SKILL.md:106 | |
| HIGH | Automatic cloning and execution of external Git repository script The skill instructs the agent to `git clone` a repository (`https://github.com/frankbria/ralph-claude-code.git`) and then immediately execute its `install.sh` script. This process downloads and runs arbitrary code from an external, untrusted source. A compromise of the `ralph-claude-code` repository or a malicious change to its `install.sh` script would lead to arbitrary command execution on the host system. 1. Avoid automatically cloning and executing scripts from external repositories. 2. If absolutely necessary, implement strong verification (e.g., cryptographic signature checks) of the repository content and the `install.sh` script before execution. 3. Consider vendoring the `ralph-claude-code` installation or using a more secure distribution method. | Unknown | SKILL.md:294 | |
| HIGH | Broad `Bash(*)` permissions configured in `.ralphrc` `ALLOWED_TOOLS` The skill instructs the agent to configure the `.ralphrc` file with `ALLOWED_TOOLS` that include broad `Bash(*)` permissions (e.g., `Bash(npm *)`, `Bash(python *)`, `Bash(docker *)`). This allows the Ralph agent to execute a wide range of shell commands, increasing the attack surface for command injection if the agent is later prompted (e.g., via a malicious plan or prompt injection) to execute an unintended command. 1. Narrow down `Bash(*)` permissions to the absolute minimum required commands and arguments. For example, instead of `Bash(npm *)`, use `Bash(npm install)`, `Bash(npm test)`, etc., with specific argument patterns if possible. 2. Implement a more granular permission system for the Ralph agent if available. | Unknown | SKILL.md:306 |
Scan History
Embed Code
[](https://skillshield.io/report/09e86a60808e54c4)
Powered by SkillShield