Trust Assessment
session-handoff received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 3 critical, 5 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 1/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/enterprise-communication/session-handoff/evals/setup_test_env.py:29 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/enterprise-communication/session-handoff/scripts/check_staleness.py:28 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/enterprise-communication/session-handoff/scripts/create_handoff.py:32 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/enterprise-communication/session-handoff/evals/setup_test_env.py:29 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/enterprise-communication/session-handoff/scripts/check_staleness.py:28 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_cmd'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/enterprise-communication/session-handoff/scripts/create_handoff.py:32 | |
| HIGH | Arbitrary CWD for Git Commands via Handoff File The `check_staleness.py` script extracts a `project_path` from the handoff document's content. This extracted path is then used as the current working directory (`cwd`) for subsequent `git` commands executed via `subprocess.run`. If a malicious handoff file is processed, an attacker could specify an arbitrary `project_path` (e.g., `/`, `/etc`, or a sensitive user directory). While the `git` commands themselves are fixed and executed safely as a list (preventing shell injection via arguments), executing them in an arbitrary, user-controlled `cwd` grants excessive permissions and could lead to information disclosure (e.g., git history of sensitive directories) or unexpected behavior, violating the principle of least privilege. Validate and sanitize the `project_path` extracted from the handoff document. Ensure it is a subdirectory of the expected project root or a known safe path. Alternatively, restrict the `cwd` to the directory containing the handoff file or the current working directory of the agent, rather than a value extracted from untrusted input. | Static | scripts/check_staleness.py:100 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 3 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Information Disclosure via Arbitrary Path Listing The `list_handoffs.py` script accepts an optional `project_path` argument from the command line (`sys.argv[1]`). The skill explicitly instructs the agent to use this functionality with a user-provided path (e.g., `python scripts/list_handoffs.py /path`). This allows the agent, or a malicious user instructing the agent, to list the contents of any `.claude/handoffs/` directory on the filesystem, potentially disclosing sensitive handoff documents from arbitrary locations outside the intended project scope. This constitutes an excessive permission and an information disclosure risk. Restrict the `project_path` argument to be within the current working directory or a predefined safe directory. If listing from arbitrary paths is necessary, implement robust path validation and user authorization checks to ensure only permitted directories are accessed. | Static | scripts/list_handoffs.py:90 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/b31f23186537c6de)
Powered by SkillShield