Trust Assessment
hackernews-frontpage received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Skill can obtain daemon root token via local state file fallback, Use of `child_process.spawnSync` for external command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 29, 2026 (commit e8893a18). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | browser-skills/hackernews-frontpage/_lib/browse-client.ts:151 | |
| HIGH | Skill can obtain daemon root token via local state file fallback The `_lib/browse-client.ts` library, which is imported and used by the skill, implements an authentication resolution mechanism that prioritizes environment variables (`GSTACK_PORT`, `GSTACK_SKILL_TOKEN`) but falls back to reading a local state file (`.gstack/browse.json`) if these variables are not present. The documentation within `_lib/browse-client.ts` explicitly states that this state file contains "the daemon root token". This means that if the skill is executed in an environment where the standard scoped tokens are not provided (e.g., a developer running `bun run script.ts` directly, as described in the client's documentation), the skill will attempt to read and use this highly privileged root token. A malicious skill could exploit this fallback to gain full, unrestricted control over the `gstack` daemon, bypassing the intended least-privilege security model of scoped tokens. The `browse-client` should be refactored to prevent skills from accessing the daemon root token. For agent-executed skills, only the scoped `GSTACK_SKILL_TOKEN` should be used. If a fallback for developer debugging is necessary, it should be implemented in a way that does not expose root tokens to skills, or requires explicit, non-default configuration to enable, and is clearly marked as insecure for production use. Ideally, skills should never have access to root tokens. | LLM | _lib/browse-client.ts:67 | |
| INFO | Use of `child_process.spawnSync` for external command execution The `defaultStateFile` function within `_lib/browse-client.ts` uses `child_process.spawnSync` to execute the `git` command (`git rev-parse --show-toplevel`). While the command and its arguments are hardcoded, and a timeout is applied, the execution of external processes via `child_process` can introduce a command injection vulnerability if any part of the command or its arguments were ever derived from untrusted input. Additionally, it could be susceptible to `PATH` manipulation attacks if the environment is compromised. In this specific context, the risk is low due to the fixed arguments and timeout, but it's a pattern that warrants attention in a security review. Evaluate if finding the git root is strictly necessary for the `browse-client` in an agent execution context. If external command execution is unavoidable, ensure that the command and its arguments are always fully controlled and never influenced by untrusted input. Consider using a more secure method for determining the project root if possible, or explicitly whitelist allowed executables and their paths. | LLM | _lib/browse-client.ts:81 |
Scan History
Embed Code
[](https://skillshield.io/report/898238b151afc24f)
Powered by SkillShield