Trust Assessment
skill-installer received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Arbitrary Code Installation leading to Remote Code Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Installation leading to Remote Code Execution The skill is explicitly designed to install code from user-specified GitHub repositories into the agent's skill directory (`$CODEX_HOME/skills`). This functionality allows an attacker to provide a URL to a malicious repository, leading to the installation and subsequent execution of arbitrary code by the agent. This constitutes a direct and severe path to Remote Code Execution (RCE) and potential full system compromise, as the installed code will run with the agent's permissions. The skill's description clearly states 'users can also provide other locations' and 'Install from another repo when the user provides a GitHub repo/path (including private repos).' 1. **Restrict Sources:** Limit skill installation to a predefined, trusted list of repositories and specific branches/tags. Avoid allowing arbitrary URLs or repository paths from user input. 2. **Code Review:** Implement a mandatory, rigorous security review process for all skills before they can be installed and executed. 3. **Sandboxing:** Execute skill installation and subsequent skill execution within a highly restricted sandbox environment with minimal permissions, isolated from critical system resources. 4. **User Confirmation:** Require explicit user confirmation for any skill installation, especially from non-curated sources, with clear warnings about the security risks. 5. **Least Privilege:** Ensure the skill installer script itself runs with the absolute minimum necessary permissions. | LLM | SKILL.md:1 | |
| CRITICAL | Arbitrary File Write via user-controlled destination path The skill's `install-skill-from-github.py` script supports a `--dest <path>` option. If this option is exposed to user input without strict validation, an attacker could specify an arbitrary file system path. This would allow them to write files to sensitive system locations (e.g., `/etc`, `/usr/local/bin`, startup directories) or overwrite existing system files. Such an capability can lead to privilege escalation, denial of service, or further command injection by placing malicious executables or configuration files. 1. **Strict Validation:** Ensure the `--dest` argument is strictly validated to only allow paths within the designated skill installation directory (`$CODEX_HOME/skills`) and prevent directory traversal (e.g., `../`). 2. **Remove User Control:** Ideally, the destination path should be entirely determined by the skill's internal logic (e.g., `$CODEX_HOME/skills/<skill-name>`) and not be user-configurable. 3. **Least Privilege:** Ensure the script runs with permissions that prevent writing outside the intended skill directory. | LLM | SKILL.md:44 | |
| HIGH | Potential Shell Injection in user-provided script arguments The skill describes calling helper scripts like `install-skill-from-github.py` with user-provided arguments such as `--repo <owner>/<repo>`, `--path <path/to/skill>`, and `--url <url>`. If these arguments are directly interpolated into a shell command without proper escaping or sanitization by the underlying execution environment or the script itself, an attacker could inject shell metacharacters (e.g., `;`, `|`, `&`, `$(...)`) to execute arbitrary commands. This is a common vulnerability pattern when executing external commands with user-controlled input. 1. **Argument Sanitization:** All user-provided arguments must be strictly validated and sanitized to prevent shell metacharacters. 2. **Safe Execution:** When executing external commands, use methods that pass arguments as a list (e.g., `subprocess.run(['command', 'arg1', 'arg2'])` in Python) rather than a single shell string, to prevent shell interpretation. 3. **Input Validation:** Implement robust input validation for all parameters (`repo`, `path`, `url`, `ref`, `dest`) to ensure they conform to expected formats and do not contain malicious characters. | LLM | SKILL.md:29 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/cccff2c2e5a425cc)
Powered by SkillShield