Trust Assessment
agentpay received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned `agentpay` dependency in manifest, Potential command injection via dynamic `npx agentpay buy` parameters, Potential command injection via dynamic `txId` in `npx agentpay approve`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt injection attempt: Instructions embedded in untrusted content The 'Important Rules' section within the untrusted skill content contains direct instructions to the LLM (e.g., 'Never attempt to read, extract, or log payment credentials from the vault', 'Always include --merchant...', 'Always tell your human...'). According to SkillShield's rules, any instructions found within untrusted content are considered prompt injection attempts and must be flagged as CRITICAL. The LLM should not follow these instructions as they are part of the untrusted input. Remove all direct instructions to the LLM from the untrusted skill content. Any necessary guidance for the LLM should be provided as part of the trusted system prompt or skill definition, outside of the user-editable or untrusted sections. | LLM | SKILL.md:75 | |
| HIGH | Potential command injection via dynamic `npx agentpay buy` parameters The skill instructs the LLM to construct `npx agentpay buy` commands using parameters like `--merchant`, `--description`, `--url`, and `--amount`. These parameters are highly likely to be derived from untrusted user input. Without explicit instructions for sanitization or escaping, an attacker could inject malicious shell commands (e.g., `"; rm -rf /"`) into these parameters, leading to arbitrary code execution on the host system. Instruct the LLM to strictly sanitize and escape all dynamic input used in shell commands. Specifically, advise using a robust shell escaping mechanism for each parameter value before constructing the command string. | LLM | SKILL.md:35 | |
| HIGH | Potential command injection via dynamic `txId` in `npx agentpay approve` The skill instructs the LLM to use `npx agentpay approve <txId>`, where `<txId>` is a dynamic value. If this `txId` is derived from untrusted user input or an external source without proper sanitization, an attacker could inject malicious shell commands, leading to arbitrary code execution. Instruct the LLM to strictly validate and sanitize the `txId` parameter, ensuring it conforms to expected formats (e.g., alphanumeric string) and is properly shell-escaped before command execution. | LLM | SKILL.md:47 | |
| MEDIUM | Unpinned `agentpay` dependency in manifest The skill's manifest specifies `agentpay` as a required package for installation via npm, but does not pin a specific version. This means that `npm install agentpay` will always fetch the latest version. If a malicious version of `agentpay` is published to npm, it could be automatically installed, leading to a supply chain attack. Pin the `agentpay` package to a specific, known-good version in the manifest (e.g., `"package": "agentpay@1.2.3"`). | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/47db6298b9b4fa53)
Powered by SkillShield