Trust Assessment
skill-sync received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Path Traversal in skill installation and push operations, Command Injection via `gh pr create` arguments in `cmd_push`, Automatic execution permission for downloaded scripts.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The llm_behavioral_safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 0676c56a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal in skill installation and push operations The `skill-sync` script uses user-provided `skill_name` directly in path constructions for `rm -rf` and `cp -r` operations within the `install_single_skill` and `cmd_push` functions. A malicious `skill_name` containing path traversal sequences (e.g., `../`) could allow an attacker to delete arbitrary files/directories or copy files from the cloned repository to arbitrary locations on the user's filesystem. For example, `skill-sync install ../../../evil_dir` could lead to unintended file operations outside the designated skill directories. Sanitize `skill_name` to ensure it does not contain path separators (e.g., `/`, `\`, `..`) before using it in path constructions. A simple check like `if [[ "$skill_name" =~ [/\.] ]]; then error "Invalid skill name"; exit 1; fi` should be added at the beginning of functions that accept `skill_name` as user input. | Unknown | scripts/skill-sync:100 | |
| HIGH | Command Injection via `gh pr create` arguments in `cmd_push` The `cmd_push` function constructs a `gh pr create` command using the user-provided `skill_name` directly in the `--title` argument and in the `branch_name` (which is derived from `skill_name`) used in `--head`. If `skill_name` contains shell metacharacters or `gh` CLI option injection (e.g., `my-skill --title "malicious title" --body "$(rm -rf ~)"`), it could lead to arbitrary command execution on the user's system when the `gh` command is invoked. Sanitize `skill_name` before using it in command arguments. For `gh pr create`, ensure `skill_name` is properly quoted or escaped to prevent argument injection. Consider using `printf %q` for shell arguments or a dedicated sanitization function to escape special characters. | Unknown | scripts/skill-sync:170 | |
| MEDIUM | Automatic execution permission for downloaded scripts The `install_single_skill` function automatically sets execute permissions (`chmod +x`) for all files within a skill's `scripts/` directory after copying them from the remote repository. This means that any malicious script introduced into the `scripts/` directory of a skill in the `PSPDFKit/clawdbot-skills` repository would become executable on the user's system upon installation or update, increasing the impact of a supply chain compromise. While making scripts executable is often desired, this automatic behavior amplifies the risk if the remote repository is compromised. Consider if automatic `chmod +x` is strictly necessary for all scripts. Options include: 1) Only make specific, known script files executable. 2) Prompt the user before making scripts executable. 3) Rely on the user to manually `chmod +x` scripts they trust. This reduces the blast radius of a compromised skill. | Unknown | scripts/skill-sync:112 |
Scan History
Embed Code
[](https://skillshield.io/report/d19548b99b08158c)
Powered by SkillShield