Trust Assessment
eval-harness received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary Command Execution via User-Defined Graders, Broad Filesystem and Shell Access for User-Defined Logic.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on March 20, 2026 (commit 9a478ad6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via User-Defined Graders The skill design explicitly instructs users to define 'Code-Based Graders' using arbitrary `bash` commands within markdown blocks. Given that the manifest declares the `Bash` tool, an agent implementing this skill would be expected to execute these user-provided commands. This creates a direct and severe command injection vulnerability, allowing a malicious user to execute any shell command on the host system where the agent is running. Examples provided in the skill, such as `grep -q ...`, `npm test ...`, and `npm run build ...`, are intended to be user-defined, but could easily be replaced with malicious commands like `rm -rf /` or data exfiltration commands. The agent must NOT directly execute arbitrary `bash` commands provided by users in eval definitions. Instead, consider these alternatives: 1. **Sandboxing**: Execute user-defined code in a highly restricted, isolated environment. 2. **Whitelisting**: Only allow a predefined, safe set of commands and arguments. 3. **Human Approval**: Require explicit human review and approval before executing any user-defined code-based graders. 4. **Input Sanitization**: If user input is used to construct commands, rigorously sanitize and escape all input to prevent injection of shell metacharacters. However, for arbitrary `bash` blocks, sanitization is insufficient; a more fundamental control is needed. | Static | SKILL.md:59 | |
| HIGH | Broad Filesystem and Shell Access for User-Defined Logic The skill's manifest declares broad permissions including `Read`, `Write`, `Edit`, `Bash`, `Grep`, and `Glob`. While these permissions are declared, the skill's design encourages users to define 'Code-Based Graders' that leverage these powerful tools. This combination means that user-defined evaluation logic, if compromised or maliciously crafted, has extensive capabilities to read, write, and modify files anywhere on the filesystem, as well as execute arbitrary shell commands. This significantly increases the attack surface and potential impact of a command injection or malicious eval definition. Re-evaluate the necessity of such broad permissions for user-defined logic. If `Bash` and extensive filesystem access are truly required, implement strict sandboxing and input validation for all user-provided content. Consider breaking down complex tasks into smaller, more controlled tools with narrower scopes. For example, instead of allowing arbitrary `grep` commands, provide a dedicated 'check_file_content' tool that takes a file path and a regex pattern as arguments, and handles the `grep` execution internally and safely. | Static | SKILL.md:59 |
Scan History
Embed Code
[](https://skillshield.io/report/95675623dd83c4aa)
Powered by SkillShield