Security Audit

claude-reflect

github.com/BayramAnnakov/claude-reflect

AI SkillCommit de42d7420c49

CRITICAL

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

claude-reflect received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 29 findings: 17 critical, 7 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Dangerous call: subprocess.run().

The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit de42d742). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

12 findings

Filesystem Write

12 findings

Shell Execution

17 findings

Dynamic Code

2 findings

Excessive Permissions

15 findings

Security Findings29

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/semantic_detector.py:76
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/semantic_detector.py:308
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/semantic_detector.py:485
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_integration.py:40
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_integration.py:53
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/compare_detection.py:9
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/compare_detection.py:314
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/reflect_utils.py:60
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/reflect_utils.py:110
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:651
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:656
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:659
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:664
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:669
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:672
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:677
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_reflect_utils.py:688
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'semantic_analyze'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/semantic_detector.py:76
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_tool_error'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/semantic_detector.py:308
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'detect_contradictions'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/lib/semantic_detector.py:485
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_bash_script'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_integration.py:40
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_python_script'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/tests/test_integration.py:53
HIGH	Potential Regular Expression Denial of Service (ReDoS) in legacy bash scripts The legacy bash scripts `capture-learning.sh` and `extract-session-learnings.sh` use regular expressions with greedy quantifiers (`.+`) that could be vulnerable to Regular Expression Denial of Service (ReDoS) if processing specially crafted, long untrusted input. While the Python equivalent `lib/reflect_utils.py` includes a `MAX_CAPTURE_PROMPT_LENGTH` to mitigate this, the bash scripts do not appear to have a similar length restriction, making them susceptible to excessive backtracking and potential resource exhaustion. If these legacy bash scripts are still in use, replace them with their Python counterparts or implement a maximum input length check before applying regex. Alternatively, refactor the regex patterns to avoid greedy quantifiers with unbounded wildcards, or use a regex engine known to be resistant to ReDoS.	Unknown	scripts/legacy/capture-learning.sh:100
HIGH	Potential Regular Expression Denial of Service (ReDoS) in legacy bash scripts The legacy bash script `extract-session-learnings.sh` uses regular expressions with greedy quantifiers (`.+`) that could be vulnerable to Regular Expression Denial of Service (ReDoS) if processing specially crafted, long untrusted input. While the Python equivalent `lib/reflect_utils.py` includes a `MAX_CAPTURE_PROMPT_LENGTH` to mitigate this, this bash script does not appear to have a similar length restriction, making it susceptible to excessive backtracking and potential resource exhaustion. If this legacy bash script is still in use, replace it with its Python counterpart or implement a maximum input length check before applying regex. Alternatively, refactor the regex patterns to avoid greedy quantifiers with unbounded wildcards, or use a regex engine known to be resistant to ReDoS.	Unknown	scripts/legacy/extract-session-learnings.sh:44
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/legacy/capture-learning.sh:6
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/legacy/check-learnings.sh:5
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Unknown	/var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-35xsrvie/repo/scripts/legacy/post-commit-reminder.sh:5
INFO	Minor Prompt Injection Risk via Truncated User Input in Output The script prints truncated user input (`prompt[:40]...`) directly to stdout, which is then added as context to the host LLM. While truncation significantly limits the potential for malicious instruction injection, a very short, carefully crafted instruction could theoretically still influence the LLM. Given the skill's purpose is to process and reflect on user input, this is a low-confidence, informational finding. Consider sanitizing or further restricting the content of `preview` if there's a concern about even truncated user input influencing the LLM. For example, remove any LLM-specific instruction keywords or enclose the output in a non-executable block (e.g., XML tags or code fences) if the host LLM supports it.	Unknown	scripts/capture_learning.py:60
INFO	Minor Prompt Injection Risk via Truncated User Input in Output The script prints truncated user input (`msg[:57]...`) directly to stdout as part of a reminder message. While truncation significantly limits the potential for malicious instruction injection, a very short, carefully crafted instruction could theoretically still influence the host LLM. Given the skill's purpose is to process and reflect on user input, this is a low-confidence, informational finding. Consider sanitizing or further restricting the content of `msg` if there's a concern about even truncated user input influencing the LLM. For example, remove any LLM-specific instruction keywords or enclose the output in a non-executable block (e.g., XML tags or code fences) if the host LLM supports it.	Unknown	scripts/session_start_reminder.py:35

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0aaf384640ebdda3.svg)](https://skillshield.io/report/0aaf384640ebdda3)