Trust Assessment
anki-connect received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential `jq` argument injection from untrusted input, Broad access to destructive AnkiConnect actions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 326f2466). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential `jq` argument injection from untrusted input The skill instructs the agent to use `jq` with `--arg` to construct JSON requests for AnkiConnect. While `--arg` is generally safer than direct string interpolation, if untrusted user input is passed directly as the *value* to `--arg` without proper shell escaping, it could lead to `jq` program injection. An attacker could craft input that modifies the `jq` program, potentially altering the `action` or `params` of the AnkiConnect request, leading to unintended or malicious operations (e.g., changing a `findNotes` request into a `deleteNotes` request). The skill provides examples like `jq -n --arg query "deck:French tag:verbs" ...` but does not provide guidance on sanitizing user-provided values for the `query` or other parameters when constructing the `jq` command. Add explicit instructions for the agent to sanitize or shell-escape any user-provided input before passing it as an argument to `jq --arg` or `jq --argjson`. Alternatively, instruct the agent to construct the JSON object in its own environment and pass the complete JSON string to `curl` via stdin, bypassing `jq` for input construction. | LLM | SKILL.md:56 | |
| MEDIUM | Broad access to destructive AnkiConnect actions The skill provides access to a wide range of AnkiConnect actions, including highly destructive ones such as `deleteNotes`, `deleteDecks`, `storeMediaFile` (which can write files to the Anki media directory), `deleteMediaFile`, `importPackage`, and `exportPackage`. While the skill includes a "Safety and Confirmation Policy (Critical)" section requiring user confirmation for modifying/destructive operations, the underlying capabilities granted to the agent are extensive. An agent misinterpreting user intent, or a successful prompt injection attack bypassing the confirmation policy, could lead to significant data loss, modification, or unauthorized file operations within the user's Anki collection. The reliance on agent-side confirmation, while a good practice, does not negate the broad scope of powerful actions enabled by the skill. 1. **Strict Input Validation**: Implement rigorous validation and sanitization of all user inputs that translate into AnkiConnect actions or parameters, especially for destructive operations. 2. **Granular Permissions**: If possible, explore AnkiConnect features or agent design patterns that allow for more granular permission control, limiting the agent's access to only the specific actions required for a given user request. 3. **Enhanced Confirmation**: For critical operations, consider multi-factor confirmation or requiring explicit, unambiguous user consent that cannot be easily bypassed by prompt injection. 4. **Least Privilege**: Advise agents to operate with the least privilege necessary, only invoking powerful actions when explicitly and unambiguously instructed by the user and after confirmation. | LLM | SKILL.md:280 |
Scan History
Embed Code
[](https://skillshield.io/report/0ea17d50d7b59ccd)
Powered by SkillShield