Trust Assessment
anki-connect received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 5 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Potential Command Injection via unescaped user input in `jq --arg` parameters, Unrestricted file path access for media operations leading to Data Exfiltration/Ingress.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | plugins/anki-connect/skills/SKILL.md:10 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | plugins/anki-connect/skills/SKILL.md:56 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | plugins/anki-connect/skills/SKILL.md:67 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | plugins/anki-connect/skills/SKILL.md:73 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | plugins/anki-connect/skills/SKILL.md:87 | |
| HIGH | Potential Command Injection via unescaped user input in `jq --arg` parameters The skill instructs the LLM to construct shell commands using `jq` and `curl` to interact with the AnkiConnect API. Specifically, it uses the pattern `jq -n --arg KEY "VALUE"`. If `VALUE` is derived directly from untrusted user input (e.g., a search query) without proper shell escaping, a malicious user could inject arbitrary shell commands. For instance, if a user provides input like `foo" && rm -rf / #`, and this is directly interpolated into the `jq --arg query "..."` command, it could lead to arbitrary command execution on the host system where the `curl` command is run. The skill documentation does not provide explicit guidance on how to safely shell-escape user input before passing it as arguments to `jq --arg`. The LLM should be explicitly instructed to shell-escape any user-provided strings before passing them as arguments to `jq --arg` within shell commands. This can be achieved by using a robust shell-escaping mechanism (e.g., `shlex.quote()` in Python) to prevent malicious input from breaking out of the quoted argument and executing arbitrary commands. | LLM | SKILL.md:60 | |
| HIGH | Unrestricted file path access for media operations leading to Data Exfiltration/Ingress The skill exposes AnkiConnect actions `storeMediaFile` and `retrieveMediaFile`, which can accept a `path` argument. The documentation does not specify any restrictions or sandboxing for these paths. If the LLM is prompted to use an arbitrary user-provided path for these actions, it could lead to:
- **Data Exfiltration**: Reading arbitrary files from the host system (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) using `retrieveMediaFile`.
- **Data Ingress/Modification**: Writing or overwriting arbitrary files on the host system (e.g., `/etc/cron.d/malicious_job`) using `storeMediaFile`, potentially leading to system compromise or data corruption. Unlike `importPackage`, which is explicitly noted as being relative to the Anki `collection.media` folder, no such restriction is mentioned for these media actions. Explicitly instruct the LLM to restrict `path` arguments for `storeMediaFile` and `retrieveMediaFile` to a safe, sandboxed directory (e.g., Anki's media folder or a temporary directory). Alternatively, for `storeMediaFile`, only allow `data` (base64) or `url` inputs, and for `retrieveMediaFile`, only return file content as base64 without exposing the original file path. If file path access is strictly necessary, it must be rigorously validated against an allowlist or confined to a specific, non-sensitive directory. | LLM | SKILL.md:160 |
Scan History
Embed Code
[](https://skillshield.io/report/0ea17d50d7b59ccd)
Powered by SkillShield