Trust Assessment
anki-connect received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 5 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Potential Command Injection via `curl` and `jq` patterns, Data Exfiltration via `storeMediaFile` (Arbitrary File Read).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/anki-connect/SKILL.md:10 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/anki-connect/SKILL.md:56 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/anki-connect/SKILL.md:67 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/anki-connect/SKILL.md:73 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/anki-connect/SKILL.md:87 | |
| HIGH | Potential Command Injection via `curl` and `jq` patterns The skill documentation provides explicit patterns for constructing shell commands using `curl` and `jq` to interact with the AnkiConnect API. Specifically, it demonstrates passing user-controlled data (e.g., `query` strings) as arguments to `jq` using `--arg`. If the LLM directly interpolates untrusted user input into these shell commands without proper escaping or sanitization, it could lead to command injection. An attacker could craft input that breaks out of the intended argument and executes arbitrary shell commands. The LLM implementation of this skill must ensure that any user-provided input used in shell commands (e.g., as arguments to `jq --arg`) is rigorously escaped for the shell environment. Consider using a dedicated library for safe command execution or strictly validating and sanitizing all user input before inclusion in shell commands. | Static | SKILL.md:59 | |
| MEDIUM | Data Exfiltration via `storeMediaFile` (Arbitrary File Read) The `storeMediaFile` action allows uploading files to Anki's media collection. The skill states that this action can use a `path` parameter. If the LLM is instructed to use this action with a user-controlled file path, it could be coerced into reading arbitrary files from the local filesystem (accessible to the LLM's execution environment) and uploading their contents to Anki, effectively exfiltrating data. When using `storeMediaFile` with a `path` parameter, the LLM must strictly validate and sanitize the provided path. Ideally, restrict file uploads to a predefined, secure directory or require explicit user confirmation for any file path outside of expected locations. Avoid allowing arbitrary user-specified paths for file uploads. | Static | SKILL.md:160 | |
| MEDIUM | Arbitrary File Write via `exportPackage` The `exportPackage` action allows exporting Anki data (decks, notes) to a file. While the skill doesn't explicitly detail the parameters for `exportPackage`, it's highly probable it accepts a `path` parameter for the output file. If the LLM is instructed to use this action with a user-controlled file path, it could be coerced into writing Anki data to arbitrary locations on the filesystem, potentially overwriting critical system files, filling up disk space (Denial of Service), or writing sensitive data to an insecure location. When using `exportPackage`, the LLM must strictly validate and sanitize the provided output path. Restrict file exports to a predefined, secure directory (e.g., a temporary directory or a user-designated download folder) and require explicit user confirmation for any file path outside of expected locations. Avoid allowing arbitrary user-specified paths for file exports. | Static | SKILL.md:220 | |
| LOW | Destructive Action `guiExitAnki` not explicitly listed for confirmation The skill includes a robust 'Safety and Confirmation Policy' for destructive operations on notes and cards. However, the `guiExitAnki` action, which can terminate the Anki application, is not explicitly listed among the actions requiring confirmation. While the policy states 'Ask even if the action is not explicitly listed above,' explicitly listing such a significant destructive action would reinforce the security posture and reduce ambiguity for the LLM. Consider explicitly adding `guiExitAnki` to the list of actions requiring user confirmation in the 'Safety and Confirmation Policy' section to ensure consistent handling of all destructive operations. | Static | SKILL.md:196 |
Scan History
Embed Code
[](https://skillshield.io/report/06d894d2d19f4647)
Powered by SkillShield