Trust Assessment
basecamp-cli received a trust score of 31/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 0 high, 1 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Unpinned npm dependency version, Encrypted tokens stored locally with machine-derived key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/emredoganer/basecamp-cli/src/commands/auth.ts:103 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/emredoganer/basecamp-cli/src/lib/config.ts:165 | |
| MEDIUM | Unpinned npm dependency version Dependency 'chalk' is not pinned to an exact version ('^5.3.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/emredoganer/basecamp-cli/package.json | |
| LOW | Encrypted tokens stored locally with machine-derived key Access and refresh tokens are encrypted and stored in a local configuration file (managed by the 'conf' package). The encryption key is derived from machine-specific identifiers (hostname, username). While encryption provides a layer of protection, an attacker with local access to the machine and knowledge of the key derivation logic could potentially decrypt the tokens. This is a common pattern for CLI tools but is less secure than using a system keychain (e.g., macOS Keychain, Windows Credential Manager). The client secret is correctly handled via environment variables, which is a strong mitigation. Consider integrating with platform-specific system keychains (e.g., using a package like 'keytar') for more robust protection of sensitive tokens at rest, especially the refresh token which has a longer lifespan. Alternatively, clearly document this security trade-off to users. | LLM | src/lib/config.ts:19 | |
| LOW | Potential command injection via 'open' package with user-controlled redirect URI The 'open' package is used to launch the OAuth authorization URL in the user's default web browser. While the primary 'authUrl' is an 'https' URL to a trusted domain, the 'redirect_uri' parameter within this URL is user-configurable (via 'basecamp auth configure' or 'process.env.BASECAMP_CLIENT_ID'). If a malicious 'redirectUri' containing shell metacharacters or a 'file://' scheme could be injected and then passed to 'open' in a way that bypasses its internal sanitization, it could lead to arbitrary command execution. However, in this specific implementation, 'open' is called with the full 'authUrl' which is an 'https' URL, and the 'redirect_uri' is URL-encoded within its query parameters, significantly reducing the direct risk. The 'open' package itself is generally robust against simple URL-based command injection for 'https' URLs. Ensure strict validation and sanitization of all user-provided inputs, especially 'redirectUri', before they are incorporated into URLs passed to external command execution utilities like 'open'. While 'open' is generally safe for 'https' URLs, a defense-in-depth approach would involve validating 'redirectUri' to ensure it's a valid 'http(s)://localhost' URL. | LLM | src/lib/auth.ts:120 | |
| INFO | Dependencies in package.json use caret ranges The 'package.json' file specifies dependencies using caret (^) version ranges (e.g., "chalk": "^5.3.0"). This allows 'npm install' to automatically update to newer minor or patch versions of these packages. While 'package-lock.json' pins exact versions for reproducible builds by the developer, end-users installing the package directly from the npm registry (e.g., 'npm i -g @emredoganer/basecamp-cli') might receive newer, potentially untested, or even vulnerable versions if a dependency introduces a breaking change or security flaw in a minor/patch release. For CLI tools intended for global installation, consider using exact version pinning in 'package.json' (e.g., "chalk": "5.3.0") to ensure users always get the exact versions tested by the developer. This provides maximum control over the dependency tree. | LLM | package.json:30 |
Scan History
Embed Code
[](https://skillshield.io/report/e6092fc435b69052)
Powered by SkillShield