Security Audit
HKUDS/CLI-Anything:cli-hub-meta-skill
github.com/HKUDS/CLI-AnythingTrust Assessment
HKUDS/CLI-Anything:cli-hub-meta-skill received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Remote Instruction Execution via Untrusted External Catalog.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 19, 2026 (commit bf3cc39e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Remote Instruction Execution via Untrusted External Catalog The skill instructs the agent to fetch and follow instructions from an external, mutable URL (https://reeceyang.sgp1.cdn.digitaloceanspaces.com/SKILL.md) and to read dynamically generated local SKILL.md files. This creates a significant risk of Indirect Prompt Injection, where an attacker compromising the external bucket or the package registry can inject malicious instructions that the host LLM will execute. Avoid instructing the agent to fetch and execute instructions from external, unverified, or mutable URLs. Hardcode or bundle the catalog within the skill package itself, or use a cryptographically signed/verified registry. | LLM | SKILL.md:55 |
Scan History
Embed Code
[](https://skillshield.io/report/40788013f94348fc)
Powered by SkillShield