Trust Assessment
upstash-redis-kv received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Command Injection via direct argument passing, Excessive Permissions with Destructive Commands and Confirmation Bypass, Potential Data Exfiltration via `KEYS` command and direct output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via direct argument passing The skill executes `bun run scripts/upstash-client.ts <command> [args...]` where `<command>` and `[args...]` are directly derived from user input. This allows a malicious user to inject arbitrary shell commands by crafting the input arguments. For example, providing an argument like `mykey; rm -rf /` could lead to arbitrary code execution on the host system. Implement robust input sanitization and validation for all arguments passed to the `bun run` command. Arguments should be treated as data, not executable code. Consider using a dedicated argument parsing library within `upstash-client.ts` that strictly separates commands from their arguments, and ensure no shell metacharacters are passed through to the underlying execution environment. | LLM | SKILL.md:12 | |
| HIGH | Excessive Permissions with Destructive Commands and Confirmation Bypass The skill provides direct access to highly destructive Redis commands such as `FLUSHDB` and `FLUSHALL`, which can wipe entire databases. Furthermore, the 'YOLO Mode' feature allows users to bypass all confirmation prompts for these and other write/delete operations. This combination significantly increases the risk of accidental or malicious data loss, as an agent could be prompted to execute these commands without explicit, granular user approval. Restrict access to highly destructive commands like `FLUSHDB` and `FLUSHALL`. If absolutely necessary, implement a multi-factor confirmation or a separate, explicit 'admin mode' that cannot be activated by simple phrasing. Re-evaluate the 'YOLO Mode' to ensure it does not inadvertently enable critical data loss without clear, intentional user consent for each destructive action. | LLM | SKILL.md:305 | |
| MEDIUM | Potential Data Exfiltration via `KEYS` command and direct output The skill exposes the `KEYS <pattern>` command, which is explicitly noted as 'Use with caution in production'. If an agent is prompted to use a broad pattern (e.g., `KEYS *`), it could retrieve all key names from the Redis instance. Combined with the skill's direct output of string values and JSON objects/arrays, this creates a vector for exfiltrating sensitive key names or even the data associated with those keys if subsequently retrieved. Consider restricting or logging usage of the `KEYS` command, especially with broad patterns. Prefer `SCAN` for production environments. Implement output filtering or redaction for potentially sensitive data, or require explicit user confirmation before displaying large sets of retrieved data or key names. | LLM | SKILL.md:290 | |
| LOW | Credential Exposure via Command-Line Arguments The skill allows overriding credentials using `--url` and `--token` flags. Passing sensitive information like API tokens directly as command-line arguments can expose them to other users or processes on the system, as these arguments are often visible in process lists (e.g., `ps aux`). Prioritize the use of environment variables for sensitive credentials. If command-line arguments are necessary, consider alternative methods for passing secrets, such as reading from a secure file or using an interactive prompt, to prevent exposure in process lists. | LLM | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/f3f467cbed544556)
Powered by SkillShield