Trust Assessment
aiusd received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 5 critical, 0 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Missing required field: name, Untrusted Code Execution via Self-Extracting Installers.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/chaunceyliu/aiusd/aiusd-skill-installer.js:14 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/chaunceyliu/aiusd/aiusd-skill-installer.js:58 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/chaunceyliu/aiusd/aiusd-skill-installer.js:64 | |
| CRITICAL | Untrusted Code Execution via Self-Extracting Installers Both `aiusd-skill-installer.js` and `aiusd-skill-installer.sh` are self-extracting installers that embed a base64-encoded tarball containing the AIUSD skill package. These installers execute `npm install` within the extracted skill directory. If the `package.json` file within this untrusted skill package contains malicious `preinstall`, `postinstall`, or other lifecycle scripts, these will be executed with the permissions of the user running the installer. This constitutes a severe command injection vulnerability and a supply chain risk, as arbitrary code can be run during installation. Furthermore, the `SKILL.md` instructs the AI agent to execute commands like `npm run reauth`, `npm run login`, and `aiusd-skill tools --detailed`, which would invoke scripts or executables from this potentially compromised package. The base64 encoding of the package data also acts as a form of hidden instructions, making static analysis of the skill's true functionality difficult without prior decoding. 1. **Verify Package Contents**: The base64-encoded `PACKAGE_DATA` (or `__ARCHIVE_START__` data) must be decoded and its contents (especially `package.json` and any executable scripts) thoroughly audited for malicious code or suspicious dependencies before installation. 2. **Sandbox Installation**: Run installers in an isolated, sandboxed environment with minimal permissions to limit potential damage from malicious scripts. 3. **Dependency Pinning**: Ensure all dependencies in `package.json` are explicitly pinned to specific versions (e.g., `1.2.3` instead of `^1.2.3` or `*`) to prevent supply chain attacks via dependency updates. 4. **Remove Obfuscation**: Avoid base64 encoding of core skill components to allow for transparent security analysis and auditing. | LLM | aiusd-skill-installer.js:46 | |
| CRITICAL | Untrusted Code Execution via Self-Extracting Installers Both `aiusd-skill-installer.js` and `aiusd-skill-installer.sh` are self-extracting installers that embed a base64-encoded tarball containing the AIUSD skill package. These installers execute `npm install` within the extracted skill directory. If the `package.json` file within this untrusted skill package contains malicious `preinstall`, `postinstall`, or other lifecycle scripts, these will be executed with the permissions of the user running the installer. This constitutes a severe command injection vulnerability and a supply chain risk, as arbitrary code can be run during installation. Furthermore, the `SKILL.md` instructs the AI agent to execute commands like `npm run reauth`, `npm run login`, and `aiusd-skill tools --detailed`, which would invoke scripts or executables from this potentially compromised package. The base64 encoding of the package data also acts as a form of hidden instructions, making static analysis of the skill's true functionality difficult without prior decoding. 1. **Verify Package Contents**: The base64-encoded `PACKAGE_DATA` (or `__ARCHIVE_START__` data) must be decoded and its contents (especially `package.json` and any executable scripts) thoroughly audited for malicious code or suspicious dependencies before installation. 2. **Sandbox Installation**: Run installers in an isolated, sandboxed environment with minimal permissions to limit potential damage from malicious scripts. 3. **Dependency Pinning**: Ensure all dependencies in `package.json` are explicitly pinned to specific versions (e.g., `1.2.3` instead of `^1.2.3` or `*`) to prevent supply chain attacks via dependency updates. 4. **Remove Obfuscation**: Avoid base64 encoding of core skill components to allow for transparent security analysis and auditing. | LLM | aiusd-skill-installer.sh:75 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/chaunceyliu/aiusd/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/fb64d583abc9aa27)
Powered by SkillShield