Security Audit

openant-ai/openant-skills:skills/submit-work

github.com/openant-ai/openant-skills

AI SkillCommit 0ad720024045

CAUTION

Scanned 26 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openant-ai/openant-skills:skills/submit-work received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Bash Tool Arguments, Supply Chain Risk - Unpinned Dependency.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on March 5, 2026 (commit 0ad72002). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Potential Command Injection via Bash Tool Arguments The skill's `allowed-tools` define Bash commands with a wildcard `` for arguments (e.g., `Bash(npx @openant-ai/cli@latest upload )`). This allows the agent to pass arbitrary strings as arguments to the `npx` commands. If the underlying Bash tool executor does not properly sanitize or quote these arguments before executing them in a shell, a malicious agent or user input could inject arbitrary shell commands. For example, an argument like `'; rm -rf /; #'` could lead to arbitrary code execution. This is a common vulnerability pattern when shell commands are constructed by concatenating user-controlled input without proper escaping. The `Bash` tool executor must ensure all arguments provided by the agent are properly quoted and escaped before being passed to the shell. Ideally, arguments should be passed as an array to `subprocess.run` (or equivalent) with `shell=False` to prevent shell interpretation. If `shell=True` is strictly necessary, then robust escaping (e.g., `shlex.quote` in Python) is mandatory for all user-controlled parts of the command string.	LLM	Manifest
HIGH	Supply Chain Risk - Unpinned Dependency The skill relies on `npx @openant-ai/cli@latest` as a declared tool. Using `@latest` means the skill will always fetch the most recent version of the `@openant-ai/cli` package. This introduces a supply chain risk, as a malicious or buggy update to the package could be automatically executed without review, potentially leading to security vulnerabilities, unexpected behavior, or a denial of service. Pin the dependency to a specific version (e.g., `npx @openant-ai/cli@1.2.3`) to ensure deterministic and reviewable behavior. Regularly update the pinned version after security review and testing.	LLM	Manifest

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/862d039f2357f8fe.svg)](https://skillshield.io/report/862d039f2357f8fe)