Trust Assessment
agent-registry received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 1 medium, and 2 low severity. Key findings include File read + network send exfiltration, Sensitive environment variable access: $HOME, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/matrixy/agent-registry/scripts/init_registry.py:671 | |
| HIGH | Arbitrary File Read via Agent Path The `get_agent.py` script loads agent content based on a 'path' stored in `registry.json`. The `init_registry.py` and `rebuild_registry.py` scripts, which populate `registry.json`, store absolute paths for agents. If a malicious entry is introduced into `registry.json` (e.g., by a compromised agent file or direct modification of the registry), `get_agent.py` could be coerced into reading arbitrary files on the system outside the intended skill directory. This constitutes a data exfiltration and excessive permissions vulnerability. Implement strict path validation and sanitization. When storing agent paths in `registry.json` (in `init_registry.py` and `rebuild_registry.py`), ensure they are always relative to the skill's designated `agents` directory and do not contain path traversal sequences (e.g., `..`). In `get_agent.py`, before reading the file, resolve the path to its canonical form and verify that it is strictly a child of the skill's `agents` directory. If it attempts to escape this boundary, refuse to load the agent. | LLM | scripts/get_agent.py:60 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/matrixy/agent-registry/install.sh:26 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/matrixy/agent-registry/package.json | |
| LOW | Unpinned Python Dependency Installation The `install.sh` script installs the `questionary` Python package without specifying a version. This means that `pip3` will install the latest available version. While `questionary` is a legitimate library, installing unpinned dependencies can introduce supply chain risks if a future version contains vulnerabilities or breaking changes. For a simple UI library, the immediate risk is low, but it's a best practice to pin versions. Pin the version of `questionary` to a known good version (e.g., `pip3 install questionary==1.10.0 --quiet`) to ensure deterministic installations and mitigate risks from future malicious or buggy updates. Regularly review and update pinned versions. | LLM | install.sh:49 |
Scan History
Embed Code
[](https://skillshield.io/report/031ab7afea138cc0)
Powered by SkillShield