Trust Assessment
arxiv-watcher received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unsanitized user input in shell command, Host LLM instruction embedded in untrusted skill description, Untrusted content written to agent memory file.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsanitized user input in shell command The `QUERY` variable (`$1`) in `scripts/search_arxiv.sh` is directly interpolated into the `curl` command's URL string without proper sanitization or quoting. This allows an attacker to inject arbitrary shell commands by crafting a malicious query (e.g., `'; rm -rf /'`). Sanitize or properly quote the `$QUERY` variable before using it in the `curl` command. For example, use `printf %q` or ensure the input is strictly URL-encoded and does not contain shell metacharacters. A safer approach would be to use a programming language with a robust HTTP client library that handles parameter encoding automatically, or to explicitly escape shell metacharacters. | LLM | scripts/search_arxiv.sh:6 | |
| HIGH | Host LLM instruction embedded in untrusted skill description The `SKILL.md` file, which is part of the untrusted skill package, contains a direct instruction to the host LLM: 'MANDATORY: Append the title, authors, date, and summary of any paper discussed to `memory/RESEARCH_LOG.md`'. This violates the principle that untrusted content should not contain instructions for the host LLM, as it can be used to manipulate the LLM's behavior or override its system prompts. Remove direct instructions to the host LLM from the skill's `SKILL.md` description. The skill's behavior should be described, not commanded. If this is a critical step, it should be enforced by the skill's internal logic or the agent's system prompt, not by a directive within the untrusted skill description. | LLM | SKILL.md:20 | |
| HIGH | Untrusted content written to agent memory file The skill explicitly states it will append the title, authors, and summary of discussed papers to `memory/RESEARCH_LOG.md`. If the paper's title or summary contains malicious markdown or other injection payloads, this could lead to markdown injection when the `RESEARCH_LOG.md` file is later read or rendered. This could potentially be used for data exfiltration (e.g., via markdown image links to external servers) or to manipulate the agent's future understanding of its memory. Before writing to `memory/RESEARCH_LOG.md`, sanitize all user-controlled input (title, authors, summary) to escape or remove any potentially malicious markdown or HTML characters. Ensure that the LLM's processing of `RESEARCH_LOG.md` does not execute arbitrary code or load external resources based on its content. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/e41b21baf8a64015)
Powered by SkillShield