Trust Assessment
attio-cli received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 3 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, File read + network send exfiltration, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/froemic/attio-cli/SKILL.md:17 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/froemic/attio-cli/SKILL.md:16 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/froemic/attio-cli/SKILL.md:16 | |
| HIGH | Unpinned external dependency for `attio-cli` The skill instructs to clone `https://github.com/FroeMic/attio-cli` without specifying a particular version (e.g., commit hash or tag). This means that any future changes to the `main` branch of this repository could introduce malicious code or vulnerabilities, which would then be installed and executed by the agent via `npm install` and `npm link`. Pin the `attio-cli` dependency to a specific, immutable version (e.g., a commit hash or a signed tag) to ensure reproducibility and prevent unexpected changes from upstream. | LLM | SKILL.md:9 | |
| HIGH | Potential Command Injection in `generate-schema.sh` from `attio-cli` output The `scripts/generate-schema.sh` script constructs shell commands by interpolating variables (`$obj`) directly into `attio` CLI calls without proper sanitization. The `$obj` variable is derived from `attio object list | jq -r '.[].api_slug'`. If an attacker can create or rename objects in the Attio workspace with `api_slug` values containing shell metacharacters (e.g., `my_object; rm -rf /`), these characters could be executed as commands when the script runs `attio object get "$obj"` or `attio object attributes-with-values "$obj"`. Ensure that all variables interpolated into shell commands are strictly validated or properly escaped. For `api_slug` values, consider using a whitelist of allowed characters or a robust shell escaping function before passing them as arguments to external commands. | LLM | scripts/generate-schema.sh:27 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/froemic/attio-cli/SKILL.md:1 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/froemic/attio-cli/SKILL.md:17 | |
| MEDIUM | `ATTIO_API_KEY` directly exposed in `curl` command examples The `SKILL.md` provides `curl` command examples that directly embed the `$ATTIO_API_KEY` in the `Authorization` header. While these are examples, they demonstrate a pattern where the API key is directly used in shell commands. If an AI agent were to construct similar `curl` commands based on untrusted user input, and that input could manipulate the URL or other headers, an attacker could potentially exfiltrate the `ATTIO_API_KEY` to a malicious server. When constructing API calls, especially with sensitive credentials, ensure that all user-provided inputs are strictly validated and sanitized. Avoid direct string concatenation for sensitive parts of the request (like URLs or headers) if they can be influenced by untrusted input. Consider using a dedicated API client library that handles credential management securely instead of raw `curl` commands. | LLM | SKILL.md:61 |
Scan History
Embed Code
[](https://skillshield.io/report/2453241378631b6c)
Powered by SkillShield