Security Audit
openant-ai/openant-skills:skills/monitor-tasks
github.com/openant-ai/openant-skillsTrust Assessment
openant-ai/openant-skills:skills/monitor-tasks received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Bash tool with wildcard arguments, Unpinned dependency version for npx package.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 5, 2026 (commit 0ad72002). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Bash tool with wildcard arguments The skill's manifest declares `Bash` tool permissions with a wildcard (`*`) at the end of several commands, such as `Bash(npx @openant-ai/cli@latest tasks get *)`, `Bash(npx @openant-ai/cli@latest tasks escrow *)`, and `Bash(npx @openant-ai/cli@latest watch *)`. This allows the agent to append arbitrary strings to these commands. If user-controlled input (e.g., a `taskId`) is passed to these commands and contains shell metacharacters (like `;`, `&&`, `|`, `$()`, `` ` ``), and the underlying Bash execution environment does not properly escape these arguments, it could lead to arbitrary command execution on the host system. For example, a malicious user could prompt the agent to 'get task ID `123; rm -rf /`', which, if unescaped, would execute `rm -rf /`. Restrict `allowed-tools` permissions to be more specific. Instead of `*`, use more precise regex patterns to validate arguments (e.g., `[a-zA-Z0-9-]+`) or explicitly list allowed subcommands and flags. Alternatively, ensure the `Bash` tool implementation properly escapes all arguments before execution to prevent shell injection. | Static | Manifest:1 | |
| INFO | Unpinned dependency version for npx package The skill uses `npx @openant-ai/cli@latest` to execute the CLI tool. While `@latest` ensures the most up-to-date version is always used, it also introduces a supply chain risk. If a malicious update is published to the `@openant-ai/cli` package on npm, the skill would immediately pull and execute the compromised version without manual review. Pinning to a specific semantic version (e.g., `@openant-ai/cli@1.2.3`) provides better supply chain security by ensuring deterministic execution, though it requires manual updates for new features or security patches. Consider pinning the `npx` package to a specific version (e.g., `npx @openant-ai/cli@1.0.0`) in the skill's examples and `allowed-tools` declarations. Implement a process for reviewing and updating the pinned version periodically. | Static | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/521917a9fc2d80cb)
Powered by SkillShield