Trust Assessment
arena-agent received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Arbitrary Code Execution via Custom Reply Generator, Potential Prompt Injection in AI Agent's Reply/Post Generation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via Custom Reply Generator The skill allows users to specify a custom JavaScript file via the `--reply-generator` CLI option (e.g., `arena-agent daemon --reply-generator ./custom-replies.js`). The skill then loads and executes this file to generate replies. This constitutes an arbitrary code execution vulnerability, as a malicious user could provide a path to any JavaScript file on the system, leading to full compromise of the host running the agent. Remove the `--reply-generator` option. If custom logic is required, implement a secure plugin architecture with strict sandboxing, or provide predefined, safe customization points. Alternatively, if the intent is for developers to extend the skill, clearly document the security implications and restrict its use to trusted environments. | LLM | SKILL.md:199 | |
| HIGH | Potential Prompt Injection in AI Agent's Reply/Post Generation The skill functions as an autonomous AI agent that generates replies to mentions/tags and creates contextual posts. User-controlled input, such as the content of mentions or the `ARENA_AGENT_PERSONALITY` environment variable, is likely used to construct prompts for the agent's underlying Large Language Model (LLM). If this input is not rigorously sanitized or escaped before being fed to the LLM, a malicious user could craft input to manipulate the agent's behavior, generate harmful content, or exfiltrate information accessible to the LLM. The documentation claims "Input sanitized before posting," but the mechanism is not detailed, and the `ARENA_AGENT_PERSONALITY` variable is a direct input to the LLM's persona. Implement robust input sanitization and escaping for all user-controlled content (e.g., mention text, thread content) before it is incorporated into LLM prompts. Ensure that the `ARENA_AGENT_PERSONALITY` variable is either strictly validated or used in a way that prevents prompt injection. Consider using templating engines or LLM APIs that offer structured input to separate instructions from user data. | LLM | SKILL.md:60 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^16.4.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ijaack/arena-agent/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/4715861193bc1434)
Powered by SkillShield