Trust Assessment
agent-protocol received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 18 findings: 8 critical, 8 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings18
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/subscribe.py:115 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/subscribe.py:122 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/subscribe.py:129 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/workflow_engine.py:293 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/workflow_engine.py:301 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/protocol.js:8 | |
| CRITICAL | Command Injection via Arbitrary Handler Execution The `scripts/subscribe.py` script's `_call_handler` method directly executes an external script or command specified in the `handler` field of a subscription. If an attacker can modify the `subscriptions.json` file or influence its content (e.g., through a malicious event or workflow), they can inject arbitrary shell commands or paths to malicious executables. This leads to arbitrary code execution with the privileges of the `subscribe.py` process. Implement a strict allowlist for handler paths and commands. Do not allow arbitrary paths or commands to be executed. Consider sandboxing mechanisms (e.g., containers, restricted environments) for handler execution. Validate and sanitize all inputs used in `subprocess.run` calls. If handlers are meant to be Python functions, import and call them directly rather than executing them as external processes. | LLM | scripts/subscribe.py:160 | |
| CRITICAL | Command Injection via Workflow Agent/Action Execution The `scripts/workflow_engine.py` script's `_execute_step` method constructs and executes a command using `subprocess.run` where `agent_name` and `action_name` are taken directly from workflow definitions. If an attacker can modify workflow JSON files (e.g., in `config/workflows/`), they can inject arbitrary shell commands into these fields, leading to arbitrary code execution with the privileges of the `workflow_engine.py` process. Implement a strict allowlist for agent names and actions. Do not allow arbitrary strings from workflow definitions to be directly passed to `subprocess.run` without validation and sanitization. Ensure that `agent_runner` is designed to safely invoke agents and actions, ideally by calling specific functions rather than re-interpreting commands. Consider sandboxing mechanisms for agent execution. | LLM | scripts/workflow_engine.py:308 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_call_handler'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-protocol/scripts/subscribe.py:115 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_call_handler'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-protocol/scripts/subscribe.py:122 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_call_handler'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-protocol/scripts/subscribe.py:129 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_call_agent'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-protocol/scripts/workflow_engine.py:293 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_call_agent'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/robbyczgw-cla/agent-protocol/scripts/workflow_engine.py:301 | |
| HIGH | Excessive Permissions due to Arbitrary Code Execution Both `scripts/subscribe.py` and `scripts/workflow_engine.py` are designed to execute arbitrary external scripts or commands based on untrusted input (subscription handlers or workflow agent/action definitions). This grants excessive permissions to potentially malicious code, allowing it to perform any action the `subscribe.py` or `workflow_engine.py` process is capable of, including reading/writing files, making network requests, or manipulating the system. Implement robust sandboxing for all executed handlers and agents. This could involve chroot jails, containers, or dedicated low-privilege user accounts. Restrict filesystem access, network access, and available commands for executed code. Review the necessity of executing arbitrary external scripts; prefer direct function calls for known, trusted handlers. | LLM | scripts/subscribe.py:160 | |
| HIGH | Data Exfiltration Risk via Arbitrary Code Execution As a direct consequence of the command injection vulnerabilities in `scripts/subscribe.py` and `scripts/workflow_engine.py`, an attacker can execute arbitrary code. This allows them to craft malicious handlers or agent actions that read sensitive files (e.g., configuration files, user data, environment variables) and exfiltrate them to an external server or write them to publicly accessible locations. Mitigate the underlying command injection vulnerabilities. Implement strict sandboxing and network egress filtering for executed code to prevent unauthorized data transmission. Regularly audit logs for suspicious activity related to handler or workflow execution. | LLM | scripts/subscribe.py:160 | |
| HIGH | Prompt Injection Risk via Arbitrary Code Execution Given the ability to execute arbitrary code through command injection in `scripts/subscribe.py` and `scripts/workflow_engine.py`, an attacker could deploy a malicious handler or agent action. If the agent protocol interacts with an LLM, this arbitrary code could be used to craft and inject malicious prompts, manipulate LLM behavior, or extract sensitive information from the LLM's context, effectively bypassing any LLM-specific prompt injection defenses. Address the root cause of arbitrary code execution by implementing robust input validation, allowlisting, and sandboxing for all executed handlers and agents. Ensure that any LLM interactions are performed by trusted, isolated components that are not susceptible to manipulation from untrusted code. | LLM | scripts/subscribe.py:160 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/robbyczgw-cla/agent-protocol/scripts/event_bus.py:5 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/robbyczgw-cla/agent-protocol/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/848afdebea6e4de1)
Powered by SkillShield