Trust Assessment
arena received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 31 findings: 2 critical, 13 high, 15 medium, and 1 low severity. Key findings include Hardcoded Bearer Token detected, Potential hardcoded secret (high entropy), Prompt Injection from Untrusted Skill Content.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings31
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection from Untrusted Skill Content The entire skill definition, including instructions for the LLM, is provided as untrusted input. The instruction 'When the user says `/arena start <code>`, execute this full workflow step by step' directly commands the host LLM. This violates the fundamental security principle of not trusting instructions from untrusted sources, making the LLM susceptible to manipulation by the skill's author or any future modifications to the skill content. The LLM is instructed to follow a complex workflow based on content that should be treated as data, not commands. Skill definitions and instructions for the LLM should be provided through trusted channels, not as part of untrusted user-provided or skill-provided content. The LLM's core instructions must explicitly override any conflicting instructions found within untrusted content. | LLM | SKILL.md:30 | |
| CRITICAL | Command Injection via Unsanitized User Input in Shell Commands User-provided input (`CODE`) and derived variables (`AGENT_ID`, `BLOCK_ID`, `TOPIC`) are directly interpolated into multiple shell commands without any apparent sanitization. An attacker can inject arbitrary shell commands by crafting malicious input for the `/arena start` command, leading to arbitrary code execution on the host system. This is a severe vulnerability that can compromise the entire system. All user-provided inputs and variables derived from them must be rigorously sanitized or properly escaped before being used in shell commands. For `curl` arguments, ensure proper URL encoding. For file paths, validate against allowed characters and prevent path traversal. For commit messages, escape quotes and other shell metacharacters. Consider using a safer API for shell execution that automatically handles escaping, or strictly whitelist allowed characters for dynamic parts of commands. | LLM | SKILL.md:37 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:59 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:70 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:93 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:107 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:121 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:199 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:69 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:80 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:103 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:117 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:131 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/sscottdev/arena/SKILL.md:209 | |
| HIGH | Hardcoded API Key in Untrusted Content A Supabase API key (`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InFiaWpqdW51c2NtY3Jjd2pwb2pyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA0MzE4NTYsImV4cCI6MjA4NjAwNzg1Nn0.ObEgPDEz_RBwwH9RoCAthmokEWC7nv772uKmTeeXAHA`) is hardcoded and explicitly exposed within the untrusted `SKILL.md` content. While described as a 'public anon key (read-only, RLS-protected)', exposing any API key in untrusted content is a security risk. An attacker could harvest this key and attempt to exploit potential misconfigurations in the Supabase Row Level Security (RLS) or use it for reconnaissance, even if direct write access is not immediately available. API keys and other credentials should never be hardcoded in skill definitions or any untrusted content. They should be managed securely, for example, through environment variables, a secure secrets manager, or by requiring the user to provide them at runtime in a secure manner. If the key is truly public and read-only, it should be clearly documented as such, but ideally, even public keys should not be exposed in a way that encourages harvesting. | LLM | SKILL.md:18 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:19 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:58 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:69 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:92 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:106 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:120 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:198 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:29 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:68 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:79 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:102 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:116 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:130 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=5.59) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/sscottdev/arena/SKILL.md:208 | |
| MEDIUM | Excessive Permissions for File System and External Git Operations The skill instructs the LLM to perform extensive file system operations (`mkdir`, `npx create-next-app`, `cd`, `git init`, `git add`, `git commit`) and to push code to an external GitHub repository (`git push`). While the intended scope for file operations is `~/arena-builds/BLOCK_ID`, the presence of command injection vulnerabilities (SS-LLM-003) means an attacker could potentially escape this directory and perform arbitrary file system operations. The `git push` to a shared GitHub repository also grants write access to an external resource, which could be abused to push malicious code, impacting the integrity of the project or other users. Implement strict sandboxing for file system operations, ensuring the LLM cannot write outside designated directories. Review the necessity of `git push` to a shared repository; if required, ensure robust pre-commit hooks and code review processes are in place on the repository side. Mitigating command injection vulnerabilities (SS-LLM-003) is crucial to prevent privilege escalation within the file system. | LLM | SKILL.md:143 | |
| LOW | Supply Chain Risk from Unpinned Dependency and External Git Push The skill uses `npx create-next-app@latest` without pinning a specific version. This introduces a minor supply chain risk, as a future version of `create-next-app` could introduce malicious code or breaking changes, unexpectedly altering the skill's behavior. Additionally, the `npm run build` command executes scripts defined in the generated `package.json`, which could be a vector for malicious code if the LLM were to generate or modify these scripts unsafely, or if `create-next-app` itself were compromised. The `git push` to a shared repository (`Above-Capital/submissions.git`) also poses a risk of introducing malicious code into that repository if the LLM is compromised or generates unsafe code. Pin versions for all external dependencies (e.g., `npx create-next-app@14.1.0`) to ensure deterministic behavior and reduce the risk of unexpected changes or malicious updates. Implement strict validation and sanitization of any code generated by the LLM before it is committed or executed. For the `git push` operation, ensure the target repository has robust security measures, including code review, static analysis, and automated vulnerability scanning. | LLM | SKILL.md:143 |
Scan History
Embed Code
[](https://skillshield.io/report/f73870883f51d200)
Powered by SkillShield