Trust Assessment
agentchat received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 1 critical, 1 high, 6 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Excessive Bash Permissions with Wildcard Arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Bash Permissions with Wildcard Arguments The skill explicitly grants broad Bash execution permissions using wildcards (`*`) for commands like `agentchat`, `node bin/agentchat.js`, `tail`, `ls`, and `touch`. This allows an attacker to inject arbitrary shell commands and arguments, leading to potential remote code execution, data exfiltration, or system modification. For example, `Bash(tail *)` allows reading any file on the system, and `Bash(agentchat *)` allows arbitrary arguments to the main CLI, which could exploit vulnerabilities in argument parsing or subcommand execution. Restrict Bash permissions to exact commands and arguments where possible. Avoid using wildcards (`*`) unless absolutely necessary and ensure all arguments are strictly validated and sanitized before execution. For file operations, specify exact file paths or use a dedicated, sandboxed file access tool. For `agentchat` and `node bin/agentchat.js`, consider listing specific subcommands and their allowed arguments instead of a blanket wildcard. | LLM | SKILL.md:302 | |
| HIGH | Vulnerable Cryptographic Dependency Identified The `package-lock.json` indicates that `@cosmjs/crypto` (a dependency of `@akashnetwork/akashjs`) is deprecated due to 'security-relevant bugs' in its underlying `elliptic` library. This poses a significant supply chain risk, as cryptographic vulnerabilities can lead to compromise of sensitive data, impersonation, or other severe security breaches. Update `@akashnetwork/akashjs` and its transitive dependencies to versions that do not rely on the deprecated and vulnerable `@cosmjs/crypto` or `elliptic` library. Monitor dependency updates and security advisories regularly. | LLM | package-lock.json:100 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tjamescouch/agentchat/lib/protocol.js:65 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tjamescouch/agentchat/lib/protocol.js:464 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tjamescouch/agentchat/monitor.py:4 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tjamescouch/agentchat/test/presence.test.js:165 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/tjamescouch/agentchat/test/verification.test.js:182 | |
| MEDIUM | Unpinned npm dependency version Dependency '@akashnetwork/akashjs' is not pinned to an exact version ('^0.11.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/tjamescouch/agentchat/package.json | |
| LOW | Deprecated and Unmaintained Dependency The `package-lock.json` indicates that `@confio/ics23` (a dependency of `@akashnetwork/akashjs`) is deprecated and unmaintained. While not an immediate vulnerability, unmaintained software does not receive security updates, making it a potential source of future vulnerabilities and increasing the overall supply chain risk. Evaluate if `@confio/ics23` is still necessary. If so, seek an actively maintained alternative or fork the project to address security concerns. If not, remove the dependency. | LLM | package-lock.json:70 |
Scan History
Embed Code
[](https://skillshield.io/report/1ae03015fc75cf10)
Powered by SkillShield