Trust Assessment
loki-mode received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 17 findings: 5 critical, 4 high, 6 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Dangerous call: eval().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings17
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/skills/ai-research/loki-mode/autonomy/run.sh:1195 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/skills/ai-research/loki-mode/autonomy/run.sh:1199 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/ai-research/loki-mode/benchmarks/results/humaneval-loki-solutions/160.py:34 | |
| CRITICAL | Dangerous call: eval() Call to 'eval()' detected in function 'do_algebra'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/ai-research/loki-mode/benchmarks/results/humaneval-loki-solutions/160.py:34 | |
| CRITICAL | Excessive Permissions: Dangerously Skip Permissions Flag The skill explicitly instructs the LLM to be launched with the `--dangerously-skip-permissions` flag, as seen in `SKILL.md` and `scripts/loki-wrapper.sh`. This flag disables critical security safeguards, allowing the LLM to execute arbitrary commands on the host system without user confirmation or sandboxing. This makes the system highly vulnerable to command injection if the LLM can be prompted to generate malicious commands, or if any internal process generates such commands. Remove the `--dangerously-skip-permissions` flag. Implement a robust tool-use framework with explicit, granular permissions and user confirmation for sensitive operations. Utilize a secure sandbox environment for all LLM-generated code execution. | LLM | SKILL.md:277 | |
| HIGH | Excessive Permissions: Weak Command and Path Controls The `autonomy/run.sh` script uses a blacklist (`LOKI_BLOCKED_COMMANDS`) to prevent dangerous commands and defaults `LOKI_ALLOWED_PATHS` to effectively allow all paths. Blacklists are inherently bypassable, as attackers can often find variations of blocked commands or use alternative methods to achieve their goals. Allowing all paths grants the LLM broad filesystem access, enabling arbitrary file modification, deletion, or creation, which is a significant security risk. Replace the blacklist approach with a strict whitelist for allowed commands and paths. Define explicit, minimal directories and commands the LLM is permitted to interact with. Implement a secure sandbox (e.g., Docker) for all operations. | LLM | autonomy/run.sh:40 | |
| HIGH | Excessive Permissions: Puppeteer Sandbox Disabled The `scripts/take-screenshots.js` script launches Puppeteer with `--no-sandbox` and `--disable-setuid-sandbox`. Disabling the browser sandbox significantly increases the risk of arbitrary code execution if the browser processes untrusted content. While it loads a local HTML file, if that file or any linked resources could be manipulated by an attacker (e.g., via LLM output writing to dashboard files), it could lead to arbitrary code execution in a non-sandboxed browser context. Remove `--no-sandbox` and `--disable-setuid-sandbox` arguments from Puppeteer launch options. Ensure the browser runs in a sandboxed environment. If local file access is required, ensure the HTML and all linked assets are strictly controlled and cannot be modified by untrusted input. | LLM | scripts/take-screenshots.js:14 | |
| HIGH | Command Injection / Arbitrary File Write via Path Traversal in Export Script The `scripts/export-to-vibe-kanban.sh` script constructs file paths for export using `task_id` from JSON input (`.loki/queue/*.json`). If an attacker can inject path traversal sequences (e.g., `../`) into the `id` field of a task in these JSON files (e.g., by manipulating LLM output that writes to these files), it could lead to arbitrary file writes outside the intended export directory. Additionally, the `EXPORT_DIR` can be controlled by the first argument to the script, allowing arbitrary export locations. Sanitize `task_id` to prevent path traversal characters (e.g., `../`, `/`). Validate `EXPORT_DIR` to ensure it is within an allowed, non-sensitive directory. Consider using a fixed, secure export directory that cannot be influenced by user input or environment variables. | LLM | scripts/export-to-vibe-kanban.sh:90 | |
| HIGH | Data Exfiltration / Arbitrary File Read via Path Traversal in Benchmark Script The `benchmarks/prepare-submission.sh` script uses the user-controlled `$RESULTS_DIR` (the first argument to the script) in `cp -r "$RESULTS_DIR/trajs" "$SUBMISSION_DIR/"` and `cp -r "$RESULTS_DIR/logs" "$SUBMISSION_DIR/"`. If `$RESULTS_DIR` contains path traversal sequences (e.g., `../../etc`), an attacker could cause arbitrary files or directories from the system to be copied to the submission directory, leading to data exfiltration. Sanitize `$RESULTS_DIR` to prevent path traversal. Ensure that any user-provided paths are strictly validated to be within expected boundaries and do not contain malicious characters. Consider using `realpath` or similar functions to resolve and validate paths before use. | LLM | benchmarks/prepare-submission.sh:80 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/skills/ai-research/loki-mode/demo/record-full-demo.sh:114 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | cli-tool/components/skills/ai-research/loki-mode/autonomy/run.sh:243 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | cli-tool/components/skills/ai-research/loki-mode/scripts/export-to-vibe-kanban.sh:8 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Supply Chain Risk: Unpinned Dependency (npx @latest) The `SKILL.md` mentions `npx @playwright/mcp@latest` for E2E testing. Using `@latest` for a package without pinning a specific version introduces a supply chain risk. A compromised `latest` version of the package could introduce malicious code into the system. While `scripts/take-screenshots.js` uses `puppeteer` (which might be pinned elsewhere), the explicit instruction to use `@latest` for `playwright/mcp` is a direct risk. Pin all dependencies to specific, immutable versions (e.g., `npx @playwright/mcp@1.2.3`) to ensure reproducibility and prevent unexpected changes or malicious updates from being automatically pulled into the system. | LLM | SKILL.md:420 | |
| MEDIUM | Data Exfiltration: Export of Internal State Files The `scripts/export-to-vibe-kanban.sh` script exports the contents of `.loki/queue/*.json` files. While these are internal state files, if they are populated with sensitive information (e.g., PII from user interactions, API keys from LLM-generated code, or other confidential data), their export to a potentially user-controlled directory (`$EXPORT_DIR`) could lead to data exfiltration. The script does not perform any sanitization or filtering of sensitive data before writing it to the export files. Implement strict data sanitization and filtering before exporting any internal state. Ensure that no sensitive information (PII, credentials, proprietary code snippets) is stored in these queue files or, if it must be, that it is redacted or encrypted before export. Validate the export directory to prevent writing to arbitrary locations. | LLM | scripts/export-to-vibe-kanban.sh:100 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| INFO | Prompt Injection Vector: Wrapper Script Prompt Construction The `scripts/loki-wrapper.sh` constructs the LLM's prompt using `PRD_PATH`, which is an argument to the wrapper script. While this argument is assumed to be controlled by the user launching the skill, if the LLM itself could influence this argument in a subsequent run (e.g., by modifying a configuration file that the wrapper script reads), it could lead to prompt injection. This is a potential vector that should be monitored, especially in a highly autonomous system. Ensure that any inputs used to construct the LLM's prompt are strictly validated and sanitized. If `PRD_PATH` can be influenced by the LLM's previous actions, implement robust input validation to prevent prompt injection. Consider using a dedicated, isolated channel for LLM instructions that is not susceptible to external manipulation. | LLM | scripts/loki-wrapper.sh:115 |
Scan History
Embed Code
[](https://skillshield.io/report/cca1ffa9f7207809)
Powered by SkillShield