Trust Assessment
bluetooth-monitor received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via user-controlled input in format_address function.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via user-controlled input in format_address function The `format_address` function, used to process user-supplied device addresses, employs the construct `echo "$1" | tr '[:lower:]' '[:upper:]'`. The `echo "$1"` command is vulnerable to command substitution if the input `$1` contains shell metacharacters like `$(command)` or backticks. This allows an attacker to execute arbitrary shell commands by crafting a malicious device address (e.g., `bluetooth-monitor connect "XX-XX-XX-XX-XX-XX; $(id)"`). The `format_address` function is called with user-controlled input from the command line arguments in `cmd_connect` and `cmd_disconnect`. Replace `echo "$1" | tr '[:lower:]' '[:upper:]'` with a safer method that prevents command substitution. A robust solution is `printf '%s' "$1" | tr '[:lower:]' '[:upper:]'`. Alternatively, if Bash 4+ is guaranteed, `echo "${1^^}"` can be used for uppercasing. | LLM | bluetooth-monitor.sh:26 |
Scan History
Embed Code
[](https://skillshield.io/report/85694cecb1620c7c)
Powered by SkillShield