Trust Assessment
arbiter received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Unsanitized user input embedded in LLM-consumed markdown/YAML.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized user input embedded in LLM-consumed markdown/YAML The `arbiter-push` tool (implemented in `src/push.ts`) embeds user-provided `title`, `context`, `tag`, and `notify` fields directly into a markdown file's YAML frontmatter and body. This file is intended for consumption by the Arbiter Zebu bot, which is described as performing 'async human review' and is likely an LLM. Malicious input in these fields could lead to prompt injection, allowing an attacker to manipulate the Arbiter Zebu bot's behavior, extract sensitive information, or execute unintended actions. Specifically, `title` and `notify` are embedded in YAML frontmatter without proper escaping, allowing for potential YAML injection. The `context` field is embedded directly into the markdown body, allowing for direct prompt injection. Implement robust sanitization or escaping for all user-provided fields (`title`, `context`, `tag`, `notify`) before embedding them into the markdown file. For YAML frontmatter, ensure proper YAML escaping (e.g., using a YAML library's safe string representation). For markdown content, escape markdown special characters or use a templating engine that automatically escapes. Consider using a dedicated LLM input sanitization library. | LLM | src/push.ts:40 | |
| MEDIUM | Unpinned npm dependency version Dependency 'gray-matter' is not pinned to an exact version ('^4.0.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/5hanth/arbiter/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/5hanth/arbiter/package.json | |
| LOW | Agent/session identifiers written to local file The skill reads `CLAWDBOT_AGENT` and `CLAWDBOT_SESSION` environment variables and writes their values into the generated markdown files in `~/.arbiter/queue/pending/`. While these are described as identifiers, if they were to contain sensitive information or credentials, this would constitute data exfiltration to a local file system, potentially accessible to other processes or users. It is crucial that these environment variables never store sensitive data. Ensure that `CLAWDBOT_AGENT` and `CLAWDBOT_SESSION` environment variables never contain sensitive credentials or secrets. If sensitive data must be associated with an agent or session, implement encryption for the files or avoid writing such data to disk. | LLM | src/push.ts:80 |
Scan History
Embed Code
[](https://skillshield.io/report/be9972600b5a664c)
Powered by SkillShield