Trust Assessment
hosted-agents received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Sandbox Execution, Credential Exposure via Command Line Arguments.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Sandbox Execution The `Sandbox.execute_command` method is designed to execute arbitrary commands within the sandboxed environment. If the `command` argument is derived from untrusted user input (e.g., via an agent's interpretation of a user prompt), it creates a direct command injection vulnerability. An attacker could craft malicious commands to compromise the sandbox, access sensitive data, or disrupt operations. While the provided code is pseudocode, the design pattern of a direct command execution method without explicit input sanitization or validation is a significant security risk in an agent-driven system. Implement robust input validation and sanitization for any commands passed to `execute_command`. Consider using a whitelist of allowed commands and arguments, or strictly escaping all user-controlled input before execution. Ensure the underlying execution environment (e.g., `subprocess.run`) is configured securely to prevent shell injection and limit privileges. | Unknown | scripts/sandbox_manager.py:50 | |
| MEDIUM | Credential Exposure via Command Line Arguments The `ImageBuilder.build_image` method constructs a `git clone` command that embeds a GitHub access token directly into the command string: `f"git clone https://x-access-token:{token}@github.com/{repo_url} /workspace"`. Embedding sensitive credentials like API tokens directly in command line arguments can expose them to other processes running on the same system (e.g., via `ps aux`), to shell history, or to logs. This increases the risk of credential compromise. Avoid embedding credentials directly in command line arguments. Instead, use more secure methods such as: 1) Passing tokens via environment variables that are cleared after use. 2) Utilizing Git's credential helper mechanisms. 3) Using SSH keys for repository access where appropriate. Ensure that the execution environment for build steps is highly isolated and that process lists and logs are secured. | Unknown | scripts/sandbox_manager.py:108 |
Scan History
Embed Code
[](https://skillshield.io/report/b366ffd4f6f41c7e)
Powered by SkillShield