Trust Assessment
ray-so-code-snippet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 4 high, 1 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Command Injection via Unsanitized User Input in Python `eval`, Path Traversal Vulnerability in Output File Saving.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unsanitized User Input in Python `eval` The skill constructs shell commands using `python3 -c` where user-provided content (`CODE_BASE64` and potentially `TITLE_ENCODED`) is directly interpolated into a Python string without proper escaping. A malicious user could inject arbitrary Python code by including single quotes and Python statements, leading to the execution of arbitrary shell commands on the host system. For example, injecting `' + __import__('os').system('malicious_command') + '` into the `CODE_BASE64` variable would execute `malicious_command`. User-provided data must be properly escaped before being interpolated into shell commands or Python string literals. For Python, use `shlex.quote()` if passing to a shell, or pass arguments directly to `subprocess.run()` with `shell=False`. In this case, the Python script itself should be robustly constructed to accept the base64 string as an argument, rather than direct string interpolation. For example, `python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$CODE_BASE64"`. | Static | SKILL.md:105 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | plugins/ray-so-code-snippet/skills/SKILL.md:133 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | plugins/ray-so-code-snippet/skills/SKILL.md:170 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | plugins/ray-so-code-snippet/skills/SKILL.md:258 | |
| HIGH | Path Traversal Vulnerability in Output File Saving The skill explicitly allows the user to specify the output path for the generated image. This creates a path traversal vulnerability, enabling a malicious user to write the image file to arbitrary locations on the filesystem (e.g., `../../../../etc/passwd`, `~/.ssh/id_rsa`). This could lead to overwriting critical system files, writing to sensitive directories, or potentially exfiltrating data if the base64 content is crafted to be a valid file for a sensitive location. Restrict the output path to a designated, sandboxed directory. Do not allow users to specify arbitrary paths. If a user-specified path is necessary, rigorously sanitize and validate it to ensure it remains within the allowed directory, preventing `..` or absolute path components. | Static | SKILL.md:100 | |
| MEDIUM | Supply Chain Risk from Unverified External Resources The skill fetches configuration data (themes and languages) from `raw.githubusercontent.com` via `curl` and loads a JavaScript library (`html-to-image`) from `cdn.jsdelivr.net`. While the JavaScript library version is pinned, both sources represent external dependencies. If these external resources are compromised (e.g., GitHub repository hijacked, CDN serves malicious content), the skill could be fed malicious data or execute arbitrary code within the `agent-browser` sandbox, leading to various security breaches. For critical configuration data, consider vendoring the data or using a trusted, version-controlled source. For external libraries, implement subresource integrity (SRI) checks if the environment supports it, or consider vendoring the library and serving it locally. Regularly audit external dependencies for vulnerabilities. | Static | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/d639111e74b3f709)
Powered by SkillShield