Trust Assessment
aap received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 1 critical, 1 high, 6 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Prompt Injection via Untrusted Server Challenges.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 51/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Untrusted Server Challenges The `createSolver` function in `packages/client/index.js` constructs a prompt for an LLM by directly embedding challenge strings received from an untrusted WebSocket server. A malicious AAP server could craft these challenge strings to inject instructions into the agent's LLM, potentially manipulating its behavior, extracting sensitive information, or causing it to perform unintended actions. The prompt hardening ('Respond with ONLY a JSON array') is insufficient to prevent sophisticated prompt injection attacks. Implement robust input sanitization and validation for server-provided challenge strings before embedding them into LLM prompts. Consider using a separate, isolated LLM for untrusted inputs or employing advanced prompt engineering techniques (e.g., XML tags, few-shot examples, or input/output separation) to strictly delineate trusted instructions from untrusted data. Ensure the LLM is sandboxed and has minimal access to sensitive functions or data. | LLM | packages/client/index.js:100 | |
| HIGH | Potential Data Exfiltration via Prompt Injection Following a successful prompt injection attack (SS-LLM-001), a malicious AAP server could coerce the agent's LLM into revealing sensitive information from its context, internal state, or accessible data. This information would then be included in the 'answers' generated by the LLM and subsequently transmitted back to the malicious server via the WebSocket connection, leading to data exfiltration. Mitigate prompt injection vulnerabilities (SS-LLM-001) to prevent the LLM from being manipulated. Additionally, ensure that the LLM's operational environment is strictly sandboxed, limiting its access to any sensitive user data, environment variables, or internal system resources. Implement strict data filtering on LLM outputs before they are transmitted to external services. | LLM | packages/client/index.js:110 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ira-hash/aap-passport/packages/core/index.js:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ira-hash/aap-passport/packages/server/whitelist.js:143 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ira-hash/aap-passport/test/challenges.test.js:43 | |
| MEDIUM | Unpinned npm dependency version Dependency 'cors' is not pinned to an exact version ('^2.8.5'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ira-hash/aap-passport/examples/express-verifier/package.json | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.16.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ira-hash/aap-passport/packages/client/package.json | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.16.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ira-hash/aap-passport/packages/server/package.json | |
| LOW | Unpinned Major Versions in Dependencies Several `package.json` files use unpinned major versions for critical dependencies (e.g., `cors: "^2.8.5"`, `express: "^4.18.2"`, `ws: "^8.16.0"`). This practice can lead to unexpected breaking changes, compatibility issues, or, in a worst-case scenario, automatically pulling in a compromised major version if one is released with malicious code. While these are widely used libraries, relying on unpinned major versions introduces a supply chain risk. Pin all dependencies to exact versions (e.g., `"cors": "2.8.5"`) or at least to minor versions (e.g., `"cors": "~2.8.5"`) to ensure consistent builds and prevent unexpected updates. Regularly audit and update dependencies to incorporate security patches. | LLM | examples/express-verifier/package.json:10 | |
| LOW | Information Disclosure to Arbitrary Servers The `aap_verify` and `aap_check_server` tools allow the agent to connect to an arbitrary `server_url` provided as a parameter. When verifying, the agent sends its public identity (public key, public ID) and challenge solutions to this server. While this is part of the protocol's design, connecting to an untrusted or malicious server could lead to the disclosure of the agent's public identity and its challenge-solving capabilities to an attacker. This is a design-level information disclosure risk, as the agent is intended to interact with various AAP servers. Advise users to only configure the agent to connect to trusted AAP servers. Implement a whitelist mechanism for `server_url` parameters in production environments, allowing connections only to known and verified endpoints. Ensure that no truly sensitive user data is ever included in the challenge solutions or agent identity information transmitted. | LLM | index.js:100 |
Scan History
Embed Code
[](https://skillshield.io/report/e8fb849823ba5560)
Powered by SkillShield