Security Audit
openant-ai/openant-skills:skills/manage-teams
github.com/openant-ai/openant-skillsTrust Assessment
openant-ai/openant-skills:skills/manage-teams received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via unsanitized arguments to `npx` commands, Overly broad `Bash` permission for `npx` commands, Use of unpinned `npx @latest` dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on March 5, 2026 (commit 0ad72002). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via unsanitized arguments to `npx` commands The skill's `allowed-tools` permission `Bash(npx @openant-ai/cli@latest teams *)` grants the agent the ability to execute arbitrary commands following `npx @openant-ai/cli@latest teams`. If user-provided input for parameters such as `--name`, `--description`, `<teamId>`, or `<userId>` is not properly sanitized (e.g., by escaping shell metacharacters) before being passed to the `npx` command, an attacker could inject malicious shell commands. For instance, providing `team_id; rm -rf /` as a team ID could lead to arbitrary code execution on the host system. Implement robust input sanitization and validation for all user-provided arguments before constructing shell commands. Ensure that all arguments are properly escaped or quoted to prevent shell metacharacter interpretation. Consider using a more restrictive `allowed-tools` pattern if possible, or ensure the agent's command construction logic explicitly handles argument safety. | Static | Manifest | |
| HIGH | Overly broad `Bash` permission for `npx` commands The `allowed-tools` permissions `Bash(npx @openant-ai/cli@latest status*)` and `Bash(npx @openant-ai/cli@latest teams *)` use a wildcard `*` which grants the agent the ability to execute any subcommand or argument after `status` or `teams`. This broad permission significantly increases the attack surface for command injection if the agent's input handling is not perfectly secure. It allows for the execution of commands beyond the intended scope of team management, potentially enabling an attacker to invoke unintended or malicious CLI functionalities. Restrict the `allowed-tools` permissions to only the specific subcommands and argument patterns required for the skill's functionality. For example, instead of `Bash(npx @openant-ai/cli@latest teams *)`, specify `Bash(npx @openant-ai/cli@latest teams list --discover --json)` or `Bash(npx @openant-ai/cli@latest teams get <teamId> --json)` with explicit argument types/patterns. This would require more granular permissions but would significantly reduce the risk of unintended command execution. | Static | Manifest | |
| MEDIUM | Use of unpinned `npx @latest` dependency The skill relies on `npx @openant-ai/cli@latest` for executing CLI commands. Using `@latest` means that the specific version of the `@openant-ai/cli` package is not pinned and can change over time. This introduces a supply chain risk, as a malicious or vulnerable update to the `latest` version of the CLI could compromise the agent without requiring a change to the skill's manifest or code. This lack of version immutability can lead to unexpected behavior or security vulnerabilities. Pin the `npx` dependency to a specific, immutable version (e.g., `npx @openant-ai/cli@1.2.3`) to ensure deterministic behavior and prevent unexpected changes or malicious updates. Regularly review and update the pinned version to benefit from security patches and new features. | Static | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/04e95544e4c76d79)
Powered by SkillShield