Trust Assessment
alexandrie received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $USER, Sensitive data stored in world-accessible temporary files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/eth3rnit3/alexandrie/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/eth3rnit3/alexandrie/alexandrie.sh:36 | |
| LOW | Sensitive data stored in world-accessible temporary files The skill stores sensitive authentication tokens (`/tmp/alexandrie_cookies.txt`) and user IDs (`/tmp/alexandrie_user_id`) in the `/tmp` directory. On many systems, `/tmp` is world-readable and world-writable, meaning other users or processes on the same system could potentially read these files and gain unauthorized access to the Alexandrie account. The password is also loaded into a shell variable, increasing its exposure in memory. Store sensitive data in more secure, restricted-access locations. If temporary files are necessary, ensure they are created with strict permissions (e.g., `chmod 600`) and are deleted immediately after use. Consider using a secure secret management system or environment variables for tokens instead of files. | LLM | alexandrie.sh:11 | |
| INFO | Sourcing environment file from fixed path (Supply Chain Risk) The script uses `source /home/eth3rnit3/clawd/.env` to load environment variables, including the `ALEXANDRIE_PASSWORD`. If the `.env` file or its containing directory is compromised, an attacker could inject malicious shell commands into this file, leading to arbitrary code execution when the skill is invoked. This represents a supply chain risk related to the integrity of the skill's deployment environment. Ensure the `.env` file and its directory have strict file system permissions, preventing unauthorized modification. Ideally, secrets should be passed to the skill via secure environment variables or a dedicated secret management system rather than sourcing a file that could contain arbitrary shell code. | LLM | alexandrie.sh:15 |
Scan History
Embed Code
[](https://skillshield.io/report/e91b38474b075b2d)
Powered by SkillShield