Trust Assessment
etetoolkit received a trust score of 52/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 8 findings: 0 critical, 0 high, 6 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/scientific/etetoolkit/scripts/quick_visualize.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/scientific/etetoolkit/scripts/tree_operations.py:5 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Arbitrary File Read via User-Controlled Paths The `quick_visualize.py` and `tree_operations.py` scripts accept user-controlled file paths as input for tree files and, in the case of `tree_operations.py`, for a list of taxa. If a malicious or sensitive file path is provided (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), the scripts will attempt to open and read the content of these files. While the scripts are designed to parse specific formats (Newick), the act of reading an arbitrary file into memory constitutes a data exfiltration risk, even if parsing subsequently fails. The `tree_operations.py` script's `list_leaves` function could potentially print parts of a non-Newick file if it misinterprets its content as leaf names. Implement stricter input validation for file paths. Consider restricting file access to a designated data directory or validating file extensions. For the `keep_taxa` argument in `tree_operations.py`, explicitly differentiate between a comma-separated list of names and a file path, and apply appropriate validation for each. For an AI agent, ensure explicit user confirmation before accessing files outside of a predefined safe directory. | Static | scripts/quick_visualize.py:38 | |
| MEDIUM | Arbitrary File Read via User-Controlled Paths The `quick_visualize.py` and `tree_operations.py` scripts accept user-controlled file paths as input for tree files and, in the case of `tree_operations.py`, for a list of taxa. If a malicious or sensitive file path is provided (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), the scripts will attempt to open and read the content of these files. While the scripts are designed to parse specific formats (Newick), the act of reading an arbitrary file into memory constitutes a data exfiltration risk, even if parsing subsequently fails. The `tree_operations.py` script's `list_leaves` function could potentially print parts of a non-Newick file if it misinterprets its content as leaf names. Implement stricter input validation for file paths. Consider restricting file access to a designated data directory or validating file extensions. For the `keep_taxa` argument in `tree_operations.py`, explicitly differentiate between a comma-separated list of names and a file path, and apply appropriate validation for each. For an AI agent, ensure explicit user confirmation before accessing files outside of a predefined safe directory. | Static | scripts/tree_operations.py:17 | |
| MEDIUM | Arbitrary File Read via User-Controlled Paths The `quick_visualize.py` and `tree_operations.py` scripts accept user-controlled file paths as input for tree files and, in the case of `tree_operations.py`, for a list of taxa. If a malicious or sensitive file path is provided (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), the scripts will attempt to open and read the content of these files. While the scripts are designed to parse specific formats (Newick), the act of reading an arbitrary file into memory constitutes a data exfiltration risk, even if parsing subsequently fails. The `tree_operations.py` script's `list_leaves` function could potentially print parts of a non-Newick file if it misinterprets its content as leaf names. Implement stricter input validation for file paths. Consider restricting file access to a designated data directory or validating file extensions. For the `keep_taxa` argument in `tree_operations.py`, explicitly differentiate between a comma-separated list of names and a file path, and apply appropriate validation for each. For an AI agent, ensure explicit user confirmation before accessing files outside of a predefined safe directory. | Static | scripts/tree_operations.py:70 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Unpinned Dependency in Installation Instructions The installation instructions in `SKILL.md` recommend installing `ete3` using `uv pip install ete3` without specifying a version. This practice can lead to supply chain risks, as a future compromised version of the `ete3` package could be installed, introducing vulnerabilities. While `ete3` is a legitimate library, unpinned dependencies are a general security concern. Pin the dependency to a specific, known-good version (e.g., `uv pip install ete3==X.Y.Z`) to ensure reproducibility and mitigate risks from future malicious updates. Regularly review and update pinned versions. | Static | SKILL.md:291 |
Scan History
Embed Code
[](https://skillshield.io/report/0a59f5b8758cbe60)
Powered by SkillShield