Trust Assessment
anki-connect received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential `jq` argument injection from untrusted input, Broad access to destructive AnkiConnect actions.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 326f2466). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential `jq` argument injection from untrusted input The skill instructs the agent to use `jq` with `--arg` to construct JSON requests for AnkiConnect. While `--arg` is generally safer than direct string interpolation, if untrusted user input is passed directly as the *value* to `--arg` without proper shell escaping, it could lead to `jq` program injection. An attacker could craft input that modifies the `jq` program, potentially altering the `action` or `params` of the AnkiConnect request, leading to unintended or malicious operations (e.g., changing a `findNotes` request into a `deleteNotes` request). The skill provides examples like `jq -n --arg query "deck:French tag:verbs" ...` but does not provide guidance on sanitizing user-provided values for the `query` or other parameters when constructing the `jq` command. Add explicit instructions for the agent to sanitize or shell-escape any user-provided input before passing it as an argument to `jq --arg` or `jq --argjson`. Alternatively, instruct the agent to construct the JSON object in its own environment and pass the complete JSON string to `curl` via stdin, bypassing `jq` for input construction. | Unknown | SKILL.md:56 | |
| MEDIUM | Broad access to destructive AnkiConnect actions The skill provides access to a wide range of AnkiConnect actions, including highly destructive ones such as `deleteNotes`, `deleteDecks`, `storeMediaFile` (which can write files to the Anki media directory), `deleteMediaFile`, `importPackage`, and `exportPackage`. While the skill includes a "Safety and Confirmation Policy (Critical)" section requiring user confirmation for modifying/destructive operations, the underlying capabilities granted to the agent are extensive. An agent misinterpreting user intent, or a successful prompt injection attack bypassing the confirmation policy, could lead to significant data loss, modification, or unauthorized file operations within the user's Anki collection. The reliance on agent-side confirmation, while a good practice, does not negate the broad scope of powerful actions enabled by the skill. 1. **Strict Input Validation**: Implement rigorous validation and sanitization of all user inputs that translate into AnkiConnect actions or parameters, especially for destructive operations. 2. **Granular Permissions**: If possible, explore AnkiConnect features or agent design patterns that allow for more granular permission control, limiting the agent's access to only the specific actions required for a given user request. 3. **Enhanced Confirmation**: For critical operations, consider multi-factor confirmation or requiring explicit, unambiguous user consent that cannot be easily bypassed by prompt injection. 4. **Least Privilege**: Advise agents to operate with the least privilege necessary, only invoking powerful actions when explicitly and unambiguously instructed by the user and after confirmation. | Unknown | SKILL.md:280 |
Scan History
Embed Code
[](https://skillshield.io/report/0ea17d50d7b59ccd)
Powered by SkillShield