Trust Assessment
dogfood received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via Unsanitized User Input in Bash Commands, Mismatch Between Declared Permissions and Skill's Bash Usage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on May 1, 2026 (commit ace14e40). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via Unsanitized User Input in Bash Commands The skill constructs Bash commands by interpolating various placeholders (e.g., {OUTPUT_DIR}, {SESSION}, {TARGET_APP}, {PLATFORM}, {EMAIL}, {PASSWORD}, {NNN}, {screen-name}) directly into shell command strings. If these placeholders are populated with untrusted user input without proper sanitization or escaping, an attacker could inject arbitrary shell commands. This could lead to unauthorized file system access, data modification, or execution of malicious code within the agent's environment. The declared permissions `Bash(agent-device:*)` and `Bash(npx agent-device:*)` are broad enough to allow arbitrary arguments to the `agent-device` command, exacerbating this risk. All user-controlled inputs interpolated into shell commands must be properly sanitized and escaped to prevent command injection. Consider using a dedicated library for shell command construction that handles escaping automatically, or explicitly quote and escape all variables (e.g., `"${VARIABLE}"`) and validate their content against expected patterns. | Static | SKILL.md:55 | |
| MEDIUM | Mismatch Between Declared Permissions and Skill's Bash Usage The skill's manifest declares permissions for `Bash(agent-device:*)` and `Bash(npx agent-device:*)`. However, the skill's workflow explicitly uses general Bash commands like `mkdir` and `cp` (e.g., `mkdir -p {OUTPUT_DIR}/screenshots {OUTPUT_DIR}/videos` and `cp {SKILL_DIR}/templates/dogfood-report-template.md {OUTPUT_DIR}/report.md`). This indicates a discrepancy where the skill requires broader Bash permissions than explicitly declared. If the agent's execution environment is more permissive than the declared permissions, it could lead to unintended command execution capabilities. If the agent strictly enforces the declared permissions, these commands will fail, breaking the skill's functionality. Update the skill's manifest to accurately reflect all required Bash commands (e.g., `Bash(mkdir, cp, agent-device, npx agent-device)` or `Bash(*)` if broad access is truly necessary). Alternatively, refactor the skill to use only the explicitly declared `agent-device` commands or a more restricted file system API if available in the agent's environment. | Static | SKILL.md:55 |
Scan History
Embed Code
[](https://skillshield.io/report/4b4612d5aec47ed1)
Powered by SkillShield