Trust Assessment
agent-identity-kit received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, JSON Injection via unescaped user input in init.sh, Command Injection via Python code injection in validate.sh.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Python code injection in validate.sh The `scripts/validate.sh` script executes a Python command using `python3 -c "..."`. The Python string is constructed by directly embedding user-provided file paths (`$SCHEMA` and `$FILE`) without properly escaping single quotes. A malicious user can inject arbitrary Python code by providing a file path containing a single quote, followed by Python code (e.g., `'); import os; os.system('evil_command'); #`), which will then be executed by the `python3 -c` command. This allows for arbitrary command execution on the host system. When embedding shell variables into a Python string executed by `python3 -c`, ensure that all special characters (especially single quotes) are properly escaped. A safer approach is to pass the file paths as arguments to the Python script (e.g., `python3 myscript.py "$SCHEMA" "$FILE"`) and parse them using `sys.argv` within the Python script. | LLM | scripts/validate.sh:53 | |
| HIGH | Supply Chain Risk: Unpinned dependency installation in validate.sh The `scripts/validate.sh` script attempts to install the `jsonschema` Python package at runtime using `pip install jsonschema` if it's not found. This installation does not specify a version, making it vulnerable to supply chain attacks where a malicious or vulnerable version of `jsonschema` could be published and automatically installed. This could introduce vulnerabilities or backdoors into the system. Pin the dependency to a specific, known-good version (e.g., `pip install jsonschema==X.Y.Z`). Ideally, dependencies should be managed and installed upfront in a controlled environment (e.g., a virtual environment or container image) rather than dynamically installed at runtime. | LLM | scripts/validate.sh:58 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/ryancampbell/agent-identity-kit/SKILL.md:1 | |
| MEDIUM | JSON Injection via unescaped user input in init.sh The `scripts/init.sh` script constructs an `agent.json` file by directly embedding user-provided inputs (e.g., AGENT_NAME, AGENT_HANDLE, OWNER_NAME) into a JSON string without proper escaping of special characters like double quotes (") or backslashes (\). This allows a malicious user to inject arbitrary JSON key-value pairs or break the JSON structure, potentially leading to data manipulation or unexpected behavior in systems consuming this `agent.json` file. Escape all user-provided strings before embedding them into JSON. For shell scripts, this typically involves replacing `"` with `\"` and `\` with `\\`. A more robust solution would be to use a JSON parsing utility (like `jq`) to construct the JSON object safely. | LLM | scripts/init.sh:64 | |
| MEDIUM | Excessive Permissions: Runtime dependency installation in validate.sh The `scripts/validate.sh` script attempts to install Python packages (`jsonschema`) at runtime using `pip install`. This requires elevated permissions or write access to the Python environment, which is generally considered an excessive permission for a validation script. It increases the attack surface by allowing the script to modify the system's Python environment, and if combined with other vulnerabilities (like the unpinned dependency), it exacerbates the risk. Dependencies should be pre-installed in a controlled environment (e.g., a virtual environment or container) before the script is run. The script should only assume the presence of its dependencies, not attempt to install them. If installation is necessary, it should be a separate, explicit step performed by an administrator. | LLM | scripts/validate.sh:58 |
Scan History
Embed Code
[](https://skillshield.io/report/6a6d6aafc032b550)
Powered by SkillShield