Trust Assessment
ray-so-code-snippet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 2 critical, 3 high, 1 medium, and 1 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Shell Command Injection via User-Provided Code/Title, Arbitrary File Write / Command Injection via User-Controlled Output Path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 31/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell Command Injection via User-Provided Code/Title The skill directly interpolates user-provided code and title into shell commands without proper sanitization. The `CODE` variable is used in `echo -n "$CODE" | base64`, which is vulnerable if `CODE` contains shell metacharacters (e.g., `$(evil_command)`). The resulting `CODE_BASE64` (and `TITLE_ENCODED`) is then interpolated into a `python3 -c "..."` command. If `CODE_BASE64` or `TITLE_ENCODED` contains a single quote, it can break out of the Python string literal, allowing arbitrary Python code execution, which in turn can execute shell commands. User-provided code and title must be thoroughly sanitized before being passed to shell commands. For the `echo` command, ensure `$CODE` is properly quoted and escaped to prevent shell expansion. For the Python script, pass the base64 encoded string as an argument to the Python script (e.g., `python3 -c "import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))" "$CODE_BASE64"`) instead of interpolating it directly into the command string. | Static | SKILL.md:100 | |
| CRITICAL | Arbitrary File Write / Command Injection via User-Controlled Output Path The skill allows the user to specify the output path/filename for the generated image. The instruction states: 'Only use a different path if the user explicitly specifies one in their original request.' If this user-provided path is not rigorously sanitized, it can lead to arbitrary file writes (e.g., overwriting system files) or command injection (e.g., `> /tmp/image.png; rm -rf /`). Strictly sanitize any user-provided output path or filename. Only allow alphanumeric characters, hyphens, and underscores, and enforce a specific file extension (e.g., `.png`). Prevent directory traversal (e.g., `../`) and shell metacharacters. Ideally, save files to a designated, sandboxed directory and only allow the user to specify the filename, not the full path. | Static | SKILL.md:160 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/ray-so-code-snippet/SKILL.md:133 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/ray-so-code-snippet/SKILL.md:170 | |
| HIGH | Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/ray-so-code-snippet/SKILL.md:258 | |
| MEDIUM | Unpinned Third-Party JavaScript Library from CDN The skill loads the `html-to-image` JavaScript library from `cdn.jsdelivr.net` using a specific version (`1.11.11`) but without a Subresource Integrity (SRI) hash. While `jsdelivr` is a reputable CDN, a compromise of the CDN or the `html-to-image` library itself could lead to the execution of malicious JavaScript within the `agent-browser` context, potentially compromising the agent's environment or exfiltrating data. To mitigate this supply chain risk, include a Subresource Integrity (SRI) hash when loading the script (e.g., `<script src="..." integrity="sha384-..."></script>`). Alternatively, bundle a verified copy of the `html-to-image` library with the skill and load it locally, removing the dependency on an external CDN. | Static | SKILL.md:140 | |
| LOW | User Code Sent to Third-Party Service The skill's core functionality involves sending the user's code snippet to `ray.so` (a third-party web service) by embedding it, base64-encoded, within the URL hash. While this is the intended behavior and the skill's description mentions `ray.so`, users should be aware that their code is transmitted to an external entity. This could be a data privacy concern for highly sensitive or proprietary code. Add an explicit warning or disclaimer to the user, advising them that their code will be sent to `ray.so` and recommending against using the skill for highly sensitive or confidential code. This ensures informed consent regarding data transmission. | Static | SKILL.md:105 |
Scan History
Embed Code
[](https://skillshield.io/report/62b5ee07b37faee7)
Powered by SkillShield