Trust Assessment
bexio received a trust score of 21/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Unescaped JSON Payload Variables User-controlled input variables (e.g., `--name`, `--email`, `--title`) are directly interpolated into JSON payload strings without proper escaping. This allows an attacker to inject arbitrary shell commands that will be executed by the shell before the `curl` command is invoked. For example, an input like `--name 'foo", "evil_key": "$(cat /etc/passwd)"'` would execute `cat /etc/passwd`. This can lead to arbitrary code execution, data exfiltration (e.g., sensitive files, environment variables), and credential harvesting (e.g., `BEXIO_ACCESS_TOKEN`). This vulnerability affects all `create` and `edit` commands across various resources (contacts, quotes, invoices, orders). All user-supplied variables inserted into JSON payloads must be properly JSON-escaped. This can be done using a robust JSON library in Python (e.g., `json.dumps`) or a tool like `jq` to construct the JSON object, rather than insecure string concatenation. Ensure that any shell metacharacters are neutralized before string interpolation. | LLM | scripts/bexio.sh:139 | |
| CRITICAL | Command Injection via Unescaped URL Path/Query Parameters User-controlled input variables (e.g., search queries, IDs for `show`, `clone`, `send`, `issue`, `cancel` commands) are directly interpolated into URL paths and query parameters without proper URL encoding. This allows an attacker to inject arbitrary shell commands that will be executed by the shell. For example, an input like `bexio.sh contacts search "; rm -rf /"` could lead to arbitrary code execution. This can also be used for data exfiltration or credential harvesting. This vulnerability affects all `search`, `show`, `clone`, `send`, `issue`, and `cancel` commands across various resources. All user-supplied variables inserted into URL paths or query parameters must be properly URL-encoded. This can be achieved using a dedicated URL encoding utility or a Python script (e.g., `urllib.parse.quote_plus`) to ensure special characters are treated as data, not commands or URL structure. Additionally, validate input to ensure it conforms to expected formats (e.g., numeric IDs). | LLM | scripts/bexio.sh:120 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/rdewolff/bexio/SKILL.md:12 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/rdewolff/bexio/scripts/bexio.sh:42 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/rdewolff/bexio/scripts/bexio.sh:32 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/rdewolff/bexio/scripts/bexio.sh:424 |
Scan History
Embed Code
[](https://skillshield.io/report/864ceaa09b0a5786)
Powered by SkillShield