Trust Assessment
knowledge-graph received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Indirect Prompt Injection via Untrusted Input Processing, Command Injection via Dynamic File Path and Content Creation, Potential Data Exfiltration via Command Injection Vulnerability.
The analysis covered 4 layers: dependency_graph, static_code_analysis, llm_behavioral_safety, manifest_analysis. The llm_behavioral_safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 0676c56a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Dynamic File Path and Content Creation The skill describes creating directories and files using shell commands (`mkdir -p`, `echo`, `cat`) where parts of the file path (`<slug>`) and content are derived from extracted entities and facts. If the agent directly executes these commands and the entity names or fact content are not properly sanitized, a malicious entity name (e.g., containing path traversal sequences like `../../` or command separators like `;`) could lead to arbitrary command execution on the host system. For example, `mkdir -p life/areas/people/$(rm -rf /)` could be catastrophic if not properly escaped. All dynamically generated parts of shell commands, especially file paths and content, must be rigorously sanitized and validated. Avoid direct shell execution with unsanitized input. Prefer using safer file system APIs provided by the agent's runtime environment (e.g., Python's `os.makedirs`, `open()`) instead of raw shell commands. Ensure that entity slugs and fact content cannot contain path traversal characters (`..`, `/`), command separators (`;`, `&`, `|`), or other shell metacharacters. | Unknown | SKILL.md:160 | |
| HIGH | Indirect Prompt Injection via Untrusted Input Processing The skill explicitly instructs the agent to read 'today's daily note' and 'recent conversation context' for fact extraction. These sources are highly likely to contain untrusted user input. If a malicious user crafts input within these daily notes or conversations, it could lead to prompt injection against the agent's underlying Large Language Model (LLM), potentially compromising its behavior or extracting sensitive information. Implement robust input sanitization and validation for all data ingested from daily notes and conversation context before feeding it to the LLM. Consider using a separate, sandboxed LLM call or a dedicated input parsing mechanism for processing untrusted input to isolate potential injection attempts. | Unknown | SKILL.md:78 | |
| HIGH | Potential Data Exfiltration via Command Injection Vulnerability While the skill does not explicitly instruct data exfiltration, it grants the agent access to sensitive user data, including daily notes (`memory/YYYY-MM-DD.md`), conversation context, and structured facts (`facts.jsonl`). Combined with the identified command injection vulnerability (SS-LLM-003), an attacker could potentially exploit the command injection to instruct the agent to read these sensitive files and exfiltrate their contents to an external server using shell commands like `curl` or `wget`. Address the underlying command injection vulnerability (SS-LLM-003) as a primary mitigation. Additionally, restrict the agent's network access to only necessary endpoints. Implement data loss prevention (DLP) mechanisms if highly sensitive data is involved, and ensure the agent operates within a sandboxed environment with minimal file system and network permissions. | Unknown | SKILL.md:78 |
Scan History
Embed Code
[](https://skillshield.io/report/d25cc0dfa826a287)
Powered by SkillShield