Trust Assessment
agent-hq received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include External Repository Clone, Execution of Untrusted External Scripts, Handling of Sensitive Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | External Repository Clone The skill instructs the user to clone an external GitHub repository (`https://github.com/thibautrey/agent-hq.git`). This introduces a significant supply chain risk as the integrity and security of the skill become dependent on an external, unverified source that is not part of the skill package. Malicious changes to the external repository could directly compromise the user's system by introducing arbitrary code. Package all necessary code directly within the skill package. Avoid cloning external repositories at runtime. If external dependencies are unavoidable, use a trusted package manager with locked dependencies and verify package integrity. | LLM | SKILL.md:19 | |
| HIGH | Execution of Untrusted External Scripts The skill instructs the user to execute various commands such as `npm install`, `npm run build`, `npm run start:agent-hq`, `node scripts/jarvis-connector.js`, `scripts/notify-jarvis-telegram.js`, and `run-telegram-notifier.sh`. These commands execute code originating from an externally cloned repository (`https://github.com/thibautrey/agent-hq.git`). As the source repository is untrusted and not part of the skill package, these executions represent a direct command injection vulnerability. A malicious change in the external repository could lead to arbitrary code execution on the user's system. Bundle all necessary executable scripts and dependencies directly within the skill package. Avoid executing scripts from external, untrusted sources. If external scripts are absolutely necessary, implement strict sandboxing and input validation. | LLM | SKILL.md:21 | |
| MEDIUM | Handling of Sensitive Credentials The skill requires the user to configure sensitive credentials, including a Telegram bot token, chat ID, and an API token (`AGENT_HQ_API_TOKEN`). These are handled via `config/telegram.json` or environment variables. Given that the core application code is sourced from an external, untrusted GitHub repository, there is a significant risk that these credentials could be harvested, misused, or exfiltrated by malicious code within that repository. Design skills to minimize the need for direct handling of sensitive credentials. If necessary, ensure that all code handling credentials is part of the trusted skill package and has undergone thorough security review. Implement secure storage and access mechanisms (e.g., secrets management services) rather than plain files or environment variables where possible. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/ab0c186955c842ed)
Powered by SkillShield