Trust Assessment
beszel received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 2 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Persistence mechanism: Shell RC file modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/karakuscem/beszel-check/SKILL.md:13 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/karakuscem/beszel-check/SKILL.md:16 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/karakuscem/beszel-check/index.js:6 | |
| HIGH | Credentials exfiltration via configurable host The skill reads `BESZEL_USER` and `BESZEL_PASS` from environment variables and sends them to the `BESZEL_HOST` specified in `process.env.BESZEL_HOST`. An attacker could set `BESZEL_HOST` to a malicious server, causing the skill to send sensitive authentication credentials to an unauthorized endpoint. Implement strict validation for `BESZEL_HOST` to ensure it points to a trusted, known endpoint. Consider using an allow-list for hostnames. Warn users about the risks of setting `BESZEL_HOST` to untrusted values. | LLM | index.js:50 | |
| HIGH | Unencrypted transmission of sensitive data The skill uses the `http` module for all network requests, including authentication, due to a misconfigured import (`const https = require('http');`). If `BESZEL_HOST` is configured with an `http://` URL, sensitive data like `BESZEL_USER` and `BESZEL_PASS` (and subsequent API tokens and data) will be transmitted in plaintext, making them vulnerable to interception. Correct the import to `const http = require('http');` and `const https = require('https');`. Then, dynamically choose between `http.request` and `https.request` based on the protocol of `CONFIG.host`, or enforce HTTPS for `BESZEL_HOST` to ensure all sensitive communications are encrypted. | LLM | index.js:2 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/karakuscem/beszel-check/SKILL.md:13 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/karakuscem/beszel-check/SKILL.md:16 | |
| MEDIUM | Potential prompt injection via unsanitized API output The skill directly outputs data received from the `BESZEL_HOST` API (e.g., `sys.name`, `c.n`) to the console. If an attacker can control the `BESZEL_HOST` or inject malicious data into its responses, they could embed prompt injection instructions within the output. A downstream LLM consuming this output could then be manipulated. Sanitize all output originating from external sources before printing to the console. This could involve stripping markdown, escaping special characters, or using a dedicated output formatting library that prevents injection. | LLM | index.js:70 |
Scan History
Embed Code
[](https://skillshield.io/report/b76cfd11539a43b2)
Powered by SkillShield