Trust Assessment
4to1-planner received a trust score of 21/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Remote code execution: curl/wget pipe to shell, Command Injection via Sourced Configuration File.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/qingxuantang/4to1-planner/scripts/status.sh:21 | |
| CRITICAL | Command Injection via Sourced Configuration File The `scripts/setup.sh` script writes user-provided input (Notion API key, Notion parent page ID, Todoist API token) directly into `~/.config/4to1/config` without sanitization. The `scripts/status.sh` script then uses `source "$CONFIG"` to load this configuration file. This allows an attacker to inject arbitrary shell commands into the configuration file during setup, which will be executed with the skill's permissions when `scripts/status.sh` is run. For example, if a user enters `ntn_abc; rm -rf /` as their Notion API key, the `rm -rf /` command will be executed. Do not use `source` to load configuration files that contain user-provided input. Instead, parse the configuration file safely, for example, by reading line by line and extracting key-value pairs using `awk` or a dedicated parsing function that does not execute arbitrary commands. Ensure all user inputs are properly sanitized or escaped before being written to configuration files. | LLM | scripts/status.sh:10 | |
| HIGH | Command Injection / Data Exfiltration via Unquoted Variables in Shell Commands Variables sourced from the user-controlled configuration file (`$NOTION_API_KEY`, `$NOTION_PARENT_PAGE`, `$TODOIST_API_KEY`, `$LOCAL_DIR`) are used directly within `curl` and `find` commands without proper quoting or sanitization. This creates a command injection vulnerability where malicious input in these variables could be interpreted as additional command arguments or separate commands. For instance, a crafted API key could inject `curl` options (e.g., `--data-binary @/etc/passwd`) to exfiltrate local files, or a malicious `LOCAL_DIR` could execute arbitrary commands via `find -exec`. After safely parsing the configuration file (as per the previous recommendation), ensure all variables derived from user input are properly quoted when used in shell commands (e.g., `"$VARIABLE"`). For `curl` commands, consider using the `--header 'Authorization: Bearer $NOTION_API_KEY'` syntax where the entire header value is quoted, or pass arguments as an array to prevent argument injection. For `find`, ensure the directory path is always quoted. | LLM | scripts/status.sh:20 | |
| HIGH | Credential Harvesting Risk via Unsanitized User Input to Config File The `scripts/setup.sh` script prompts the user for sensitive credentials (Notion API key, Todoist API token) and writes them directly to `~/.config/4to1/config`. While the primary risk is command injection due to `source`, the direct writing of unsanitized user input into a configuration file that is later processed by other scripts (even if not sourced) poses a risk. If the skill were to later expose this config file content or process it insecurely, it could lead to credential harvesting. The `grep | cut` method used in `SKILL.md` for extracting keys is more robust, but the `source` in `status.sh` bypasses this safety. Implement robust input validation and sanitization for all user-provided credentials. Ensure that sensitive information is stored securely, preferably using environment variables or a secure secrets management system, rather than directly in plain-text configuration files that are sourced. If file storage is necessary, ensure the file permissions are restrictive and the content is properly escaped for its intended parsing method. | LLM | scripts/setup.sh:24 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/qingxuantang/4to1-planner/scripts/setup.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/qingxuantang/4to1-planner/scripts/status.sh:5 |
Scan History
Embed Code
[](https://skillshield.io/report/a606eb9decaa8579)
Powered by SkillShield