Trust Assessment
bitwarden received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Potential command injection via `tmux send-keys` with `bw unlock --raw` output, Capture of sensitive Bitwarden output via `tmux capture-pane`, Execution of system-modifying command (`mkcert -install`) and unprovided local scripts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Execution of system-modifying command (`mkcert -install`) and unprovided local scripts The 'Testing with Vaultwarden' section instructs the user/agent to run `mkcert -install`, which modifies the system's trust store by installing a root CA. It also instructs the execution of `./scripts/setup-test-account.sh` and `./scripts/test-skill-workflow.sh`. These scripts are not provided within the skill context, making their content unknown. An automated agent blindly following these instructions could execute arbitrary code with potentially high privileges and modify system-wide settings, leading to command injection and excessive permissions. For `mkcert -install`: Clearly delineate that this is a manual, user-initiated step for testing only, and should not be automated without explicit user consent and understanding of its implications. For local scripts: Provide the content of `./scripts/setup-test-account.sh` and `./scripts/test-skill-workflow.sh` within the skill package for analysis, or remove the instruction to execute them if they are not part of the skill's core functionality. If they are essential, they should be part of the skill's auditable content. | LLM | SKILL.md:70 | |
| HIGH | Supply chain risk from unprovided local scripts and `docker-compose.yml` The skill refers to and instructs the execution of `./scripts/setup-test-account.sh`, `./scripts/test-skill-workflow.sh`, and implicitly relies on a `docker-compose.yml` file (for `docker compose up -d`). These files are external to the provided skill context and their contents are unknown. This poses a significant supply chain risk, as an attacker could replace or modify these files in the local environment, leading to arbitrary code execution when the skill's instructions are followed. All scripts and configuration files that are intended to be executed or used by the skill should be included within the skill package itself, or their source should be explicitly pinned and verified (e.g., by hash). This allows for proper security analysis and prevents tampering, mitigating the supply chain risk. | LLM | SKILL.md:77 | |
| MEDIUM | Capture of sensitive Bitwarden output via `tmux capture-pane` The skill includes an example that captures the output of `bw list items --search github` using `tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200`. This command will capture potentially sensitive information (e.g., item names, notes, or parts of secrets if they appear in item metadata) from the Bitwarden vault. Although the 'Guardrails' section advises against pasting secrets, the mechanism for capturing this sensitive data is present, and the host LLM might inadvertently expose this captured information. Implement strict controls on how the captured output from `tmux capture-pane` is handled by the host LLM. Ensure that sensitive information is redacted or not exposed to external interfaces (logs, chat, etc.). The skill itself should ideally provide a mechanism to filter or redact sensitive parts of the output before capture, or explicitly state that the captured output *must* be treated as highly sensitive. | LLM | SKILL.md:36 | |
| LOW | Potential command injection via `tmux send-keys` with `bw unlock --raw` output The skill demonstrates using `tmux send-keys -t "$SESSION":0.0 -- 'export BW_SESSION=$(bw unlock --raw)' Enter`. While `bw unlock --raw` is designed to output a simple session key, if the `bw` CLI were compromised or produced unexpected output containing shell metacharacters, these could be executed within the tmux session. This creates a low-confidence command injection vulnerability, as it relies on an external tool's misbehavior. Ensure that the output of `bw unlock --raw` is strictly validated or sanitized before being used in a shell command, especially when assigned to an environment variable. Consider more robust quoting or input validation if `bw` output cannot be guaranteed to be safe. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/8875a587b1599d3b)
Powered by SkillShield