Trust Assessment
agent-step-sequencer received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 34 findings: 16 critical, 18 high, 0 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings34
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-check.py:35 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-runner.py:142 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-runner.py:170 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-runner.py:179 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:22 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:192 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:207 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:21 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:56 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:89 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:115 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:149 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:189 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:206 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:239 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:275 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:21 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:56 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:89 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:115 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:149 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:189 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:206 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:239 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:275 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'invoke_runner'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-check.py:35 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-runner.py:142 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-runner.py:179 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/scripts/step-sequencer-runner.py:170 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_check'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:22 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_runner'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:207 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'test_step_agent_cmd_blocked'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gostlightai/agent-step-sequencer/test/test_step_sequencer.py:192 | |
| HIGH | Arbitrary script execution via STEP_RUNNER environment variable The `scripts/step-sequencer-check.py` script determines the path to the runner script using `os.environ.get("STEP_RUNNER", ...)`. If an attacker can control the `STEP_RUNNER` environment variable, they can specify an arbitrary Python script (or any script executable by `sys.executable`) to be executed by the `step-sequencer-check.py` process. This allows for arbitrary code execution on the system where the skill is running. Restrict `STEP_RUNNER` to only allow paths within the skill's directory or a predefined, immutable safe location. Implement strict validation to ensure the path points to the expected `step-sequencer-runner.py` script and is not an arbitrary executable. | LLM | scripts/step-sequencer-check.py:22 | |
| HIGH | Arbitrary command execution via STEP_AGENT_CMD environment variable The `scripts/step-sequencer-runner.py` script executes an agent command specified by the `STEP_AGENT_CMD` environment variable. While the script implements robust checks (`_validate_agent_cmd` and `shell=False`) to prevent shell injection of the prompt argument, an attacker who can control `STEP_AGENT_CMD` can still specify any arbitrary executable binary on the system (e.g., `/bin/rm`, `/bin/mv`, `/bin/dd`) to be run. This grants significant power to an attacker who can manipulate this environment variable, potentially leading to data loss, system modification, or further compromise. The skill's warning "Set `STEP_AGENT_CMD` only to your trusted agent binary" highlights this risk but does not mitigate the underlying capability to execute arbitrary binaries. Implement stricter validation for `STEP_AGENT_CMD`. Instead of allowing any binary on PATH, consider a whitelist of allowed agent binaries or enforce that the binary must reside within a trusted, immutable skill directory. If the agent is expected to be `openclaw agent`, then explicitly check for that specific binary and its expected path. | LLM | scripts/step-sequencer-runner.py:60 |
Scan History
Embed Code
[](https://skillshield.io/report/304a4201dc54b9f8)
Powered by SkillShield