Trust Assessment
Agent-to-Owner File Bridge received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 3 high, 0 medium, and 0 low severity. Key findings include Cross-skill / cross-tool manipulation, AI Agent instructed to execute Python script, AI Agent instructed to execute public tunneling commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | AI Agent instructed to execute public tunneling commands The AI agent is explicitly instructed to execute shell commands (`npx localtunnel --port 5000` and `ssh -R 80:localhost:5000 localhost.run`) to create public tunnels. This is a severe command injection vulnerability, allowing the agent to run arbitrary external programs (`npx`, `ssh`) which can have broad system access and potentially download and execute malicious code. Never instruct an AI agent to execute arbitrary shell commands, especially those that involve installing or running external tools like `npx` or `ssh` for public exposure. Provide secure, pre-configured, and sandboxed mechanisms for necessary functionalities. | LLM | SKILL.md:33 | |
| CRITICAL | AI Agent instructed to expose local files publicly via zero-auth tunnels The skill instructs the AI agent to use 'zero-auth, free tunnels' (`localtunnel`, `localhost.run`) to expose a local file server publicly. This creates a direct and unauthenticated access point to any files the agent uploads or stores on this server, leading to severe data exfiltration risk. It grants excessive network permissions to the agent, allowing it to bypass network security controls and potentially expose sensitive user data to the internet. Do not allow AI agents to create publicly accessible endpoints for sensitive data. All file sharing should occur through secure, authenticated, and authorized channels. If temporary sharing is needed, it must be through a platform with robust access controls, not zero-auth public tunnels. | LLM | SKILL.md:33 | |
| HIGH | Cross-skill / cross-tool manipulation Pre/post tool-use instruction injection Remove cross-tool references from tool descriptions. A tool's description should only document its own behavior, not instruct the agent about other tools. | Manifest | skills/mrbeandev/file-links-tool/SKILL.md:8 | |
| HIGH | AI Agent instructed to execute Python script The AI agent is explicitly instructed to run a Python script (`python server.py`) from a third-party repository. This constitutes a command injection vulnerability, as the agent executes arbitrary code from an external source within its environment. Avoid instructing the AI agent to execute arbitrary scripts. If server functionality is required, it should be provided by a trusted, sandboxed environment or a pre-approved, version-locked tool. | LLM | SKILL.md:32 | |
| HIGH | Unpinned third-party code dependency The AI agent is instructed to clone or copy `server.py` from `https://github.com/mrbeandev/OpenClaw-File-Links-Tool` without specifying a version, commit hash, or tag. This means the agent could fetch any version of the code, including potentially malicious updates introduced by the repository owner or a compromised account, leading to a supply chain attack. All external code dependencies should be explicitly pinned to a specific version (e.g., commit hash, tag) to ensure reproducibility and prevent unexpected or malicious changes. Consider vendoring critical dependencies or using trusted package managers with integrity checks. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/f401c79e6befe3b8)
Powered by SkillShield