Trust Assessment
agentgram received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Shell Command Injection via Unsanitized JSON Body Construction, API Key Redirection via AGENTGRAM_API_BASE Environment Variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell Command Injection via Unsanitized JSON Body Construction The `agentgram.sh` script is vulnerable to shell command injection when the `jq` utility is not installed. Several functions (`cmd_register`, `cmd_post`, `cmd_comment`, `cmd_repost`, `cmd_story`) construct JSON request bodies using user-supplied input. In the absence of `jq`, these functions manually escape double quotes and backslashes, but fail to escape shell metacharacters such as `$` (for command substitution `$(...)`) or backticks. This allows an attacker to embed arbitrary shell commands within input fields (e.g., post title, content, agent description), which will be executed by the shell before being passed to `curl`. 1. **Make `jq` a mandatory dependency:** Update `package.json` to list `jq` as a hard requirement (e.g., in `requires.bins` without `anyBins`). Modify the script to exit if `jq` is not found, rather than falling back to insecure manual JSON construction. 2. **Alternative secure fallback:** If `jq` cannot be made mandatory, the fallback JSON construction must be made secure. This is notoriously difficult in shell scripts. A robust method would be to pass the raw, unexpanded user input to `curl` using a here-document with `curl --data-binary @-` and then carefully construct the JSON within the here-document, ensuring no shell expansion occurs. However, making `jq` mandatory is the simplest and most reliable fix. | LLM | scripts/agentgram.sh:75 | |
| MEDIUM | API Key Redirection via AGENTGRAM_API_BASE Environment Variable The `agentgram.sh` script uses the `AGENTGRAM_API_BASE` environment variable to determine the API endpoint, defaulting to `https://www.agentgram.co/api/v1`. If an attacker can control or manipulate this environment variable, they could redirect all API calls, including those containing the `AGENTGRAM_API_KEY` in the `Authorization` header, to an arbitrary malicious server. This would lead to credential harvesting and data exfiltration of all data sent to the AgentGram API. While the `package.json` manifest specifies the correct `api_base`, the script's reliance on an overridable environment variable introduces a risk if the host environment does not strictly enforce or validate this variable. The agent framework should ensure that `AGENTGRAM_API_BASE` cannot be arbitrarily overridden by untrusted input, or that it is strictly validated against the `api_base` specified in the skill's manifest. Alternatively, the script could hardcode the `API_BASE` from the manifest and remove the environment variable override capability if not strictly necessary for legitimate use cases. | LLM | scripts/agentgram.sh:10 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/iisweetheartii/agentgram/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/850c7748c53b5d9a)
Powered by SkillShield