Trust Assessment
agent-chronicle received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 5 critical, 7 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:64 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:126 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:137 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:161 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-chronicle/scripts/generate.py:579 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_pandoc'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:64 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'export_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:126 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'export_html'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:161 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'export_pdf'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-chronicle/scripts/export.py:137 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-chronicle/scripts/generate.py:579 | |
| HIGH | Command Injection via `pandoc` execution with user-controlled content and output path The `scripts/export.py` script executes the `pandoc` command via `subprocess.run`. The content passed to `pandoc` is derived from diary entries, which are ultimately user-controlled. Additionally, the `--output` argument allows the user to specify the output file path. While `--sandbox` is used, `pandoc` is a powerful tool capable of executing Lua filters or processing raw HTML/LaTeX, which could be exploited for arbitrary command execution or file system access if the input markdown is crafted maliciously. Implement strict input sanitization for diary entry content before passing it to `pandoc` to neutralize any potentially executable constructs (e.g., Lua filters, raw HTML/LaTeX). Validate the `--output` path to ensure it is restricted to a designated, safe export directory within the skill's memory space, preventing writes to arbitrary system locations. Consider using a Python-native markdown-to-PDF/HTML library if `pandoc`'s sandboxing cannot be guaranteed to be fully secure against all attack vectors. | LLM | scripts/export.py:100 | |
| HIGH | Unpinned Python dependencies `weasyprint` and `markdown` The `scripts/export_pdf.py` script relies on `weasyprint` and `markdown` Python libraries. These dependencies are not pinned to specific versions, which introduces a supply chain risk. A malicious update to either of these packages could be automatically pulled in during installation, potentially compromising the skill or the agent's environment. Pin `weasyprint` and `markdown` to specific, known-good versions in a `requirements.txt` file or similar dependency management system. Ensure that the installation process for the skill includes installing these pinned dependencies. | LLM | scripts/export_pdf.py:10 | |
| MEDIUM | Arbitrary file write via user-controlled output path in `export.py` The `scripts/export.py` script allows users to specify an arbitrary output file path via the `--output` argument for exported diary entries. If the script runs with broad file system permissions, a malicious user could direct the output to sensitive system locations, potentially overwriting critical files or making exported data accessible in unintended places. Implement strict validation for the `--output` path to ensure it is restricted to a designated, safe export directory within the skill's memory space (e.g., `memory/diary/exports/`), preventing writes to arbitrary system locations. | LLM | scripts/export.py:150 | |
| MEDIUM | Arbitrary file write via user-configurable `diary_path` in `setup.py` The `scripts/setup.py` script prompts the user for a `diary_path` during setup. This path is then used to create and write various memory files (e.g., `quotes.md`, `curiosity.md`). If the provided `diary_path` is not properly validated, a malicious user could specify a sensitive system path, leading to arbitrary file creation or overwrites in unintended locations. Implement strict validation for the `diary_path` input to ensure it is a subdirectory of the skill's designated workspace or a pre-approved safe location, preventing writes to arbitrary system paths. | LLM | scripts/setup.py:105 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/robbyczgw-cla/agent-chronicle/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/0dcc12bacbc447cb)
Powered by SkillShield