Trust Assessment
agentic-paper-digest-skill received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 1 high, 4 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, Arbitrary file sourcing via user-controlled ENV_FILE, Command injection via user-controlled PROJECT_DIR in `cd` command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 16/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary file sourcing via user-controlled ENV_FILE The `run_api.sh` and `run_cli.sh` scripts source the `ENV_FILE` variable, which can be overridden by the user (as indicated in SKILL.md: 'override with ENV_FILE=/path/to/.env'). If a malicious path or command is provided in `ENV_FILE`, it will be executed by the shell, leading to arbitrary command injection. For example, setting `ENV_FILE="/dev/null; rm -rf /"` would execute `rm -rf /`. Sanitize or validate `ENV_FILE` to ensure it's a safe path and does not contain shell metacharacters. A safer approach would be to parse the `.env` file content in Python or a language that doesn't execute arbitrary shell commands when loading environment variables. | LLM | scripts/run_api.sh:19 | |
| CRITICAL | Arbitrary file sourcing via user-controlled ENV_FILE The `run_api.sh` and `run_cli.sh` scripts source the `ENV_FILE` variable, which can be overridden by the user (as indicated in SKILL.md: 'override with ENV_FILE=/path/to/.env'). If a malicious path or command is provided in `ENV_FILE`, it's executed by the shell, leading to arbitrary command injection. For example, setting `ENV_FILE="/dev/null; rm -rf /"` would execute `rm -rf /`. Sanitize or validate `ENV_FILE` to ensure it's a safe path and does not contain shell metacharacters. A safer approach would be to parse the `.env` file content in Python or a language that doesn't execute arbitrary shell commands when loading environment variables. | LLM | scripts/run_cli.sh:19 | |
| HIGH | Command injection via user-controlled PROJECT_DIR in `cd` command The `bootstrap.sh` script uses `cd "$PROJECT_DIR"`. The `PROJECT_DIR` variable can be set by the user (as indicated in SKILL.md: 'Override the clone location by setting PROJECT_DIR'). If `PROJECT_DIR` contains shell metacharacters (e.g., `"; rm -rf /"`), these commands will be executed by the shell after changing directory. This allows for arbitrary command execution. Sanitize or validate `PROJECT_DIR` to ensure it's a safe path and does not contain shell metacharacters. If the path must be dynamic, use `printf %q` to properly quote the variable before passing it to shell commands, or use a language's built-in path manipulation functions that are not susceptible to shell injection. | LLM | scripts/bootstrap.sh:70 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/matanle51/agentic-paper-digest/scripts/bootstrap.sh:4 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/matanle51/agentic-paper-digest/scripts/run_api.sh:4 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/matanle51/agentic-paper-digest/scripts/run_cli.sh:4 | |
| MEDIUM | Unpinned Python dependencies The `bootstrap.sh` script executes `pip install -r requirements.txt`. The `requirements.txt` file is not provided in the context, so it's unknown if dependencies are pinned to specific versions. Unpinned dependencies can lead to supply chain attacks if a package maintainer pushes a malicious update to a dependency, potentially allowing arbitrary code execution during installation. Ensure all dependencies in `requirements.txt` are pinned to exact versions (e.g., `package==1.2.3`) to prevent unexpected updates or malicious package substitution. Consider using a lock file mechanism (e.g., `pip-compile` or Poetry) for deterministic builds. | LLM | scripts/bootstrap.sh:75 | |
| LOW | User-controlled installation directory The skill allows the user to specify `PROJECT_DIR` for cloning the repository and installing dependencies. While this offers flexibility, it means the skill operates with broad write permissions in a user-defined location. This could be abused if combined with other vulnerabilities (such as the command injections identified) or if a malicious user directs the installation to a sensitive system directory. Implement robust input validation for `PROJECT_DIR` to prevent path traversal or other directory-related abuses. While full restriction might hinder flexibility, ensuring the path is within an allowed sandbox or user-specific directory can mitigate risks. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/052f965b7c66cab4)
Powered by SkillShield