Trust Assessment
bob-p2p received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 28 findings: 7 critical, 6 high, 12 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Unsafe deserialization / dynamic eval, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings28
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/26medias/bob-p2p-beta/client/src/cli/provider.js:104 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/26medias/bob-p2p-beta/client/src/provider/server.js:283 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/26medias/bob-p2p-beta/client/handlers/image-generator.js:181 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/26medias/bob-p2p-beta/client/handlers/image-generator.js:209 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/26medias/bob-p2p-beta/client/handlers/video-generator.js:220 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/26medias/bob-p2p-beta/scripts/api-info.sh:28 | |
| CRITICAL | Direct Storage and Handling of Solana Private Key The skill explicitly requires the user's Solana private key (mnemonic or raw key) to be stored in plaintext within the `config.json` file. This private key is then loaded into memory by various Node.js scripts (`SolanaClient`, `AggregatorRegistrar`) and used for signing transactions. Storing the private key directly in a configuration file makes it highly vulnerable to compromise if the skill's environment is breached, the config file is accidentally exposed (e.g., committed to version control, shared), or if other processes on the system can access the user's home directory. While the skill warns against sharing, the fundamental design choice to require the private key in a file is a severe security risk. Avoid storing private keys directly in configuration files. Instead, consider using secure key management solutions such as: 1. Hardware Security Modules (HSMs). 2. Environment variables (though still sensitive). 3. Secure vaults (e.g., HashiCorp Vault, AWS Secrets Manager). 4. Prompting for the key at runtime and immediately encrypting it or using it for a single session without persistent storage. 5. Using a secure wallet integration that signs transactions externally without exposing the private key to the skill. | LLM | SKILL.md:49 | |
| HIGH | Arbitrary File Write via User-Controlled Output Path (Consumer Download) The `consumer-download.js` script allows a user to specify an arbitrary output path for downloaded files via the `--output` argument. This argument is directly passed to `fs.createWriteStream(outputPath)` in `client/src/consumer/index.js`. A malicious user could provide a path like `/etc/passwd`, `~/.ssh/id_rsa`, or use path traversal sequences (e.g., `../../../../etc/passwd`) to overwrite sensitive system files or user files with the downloaded content. Implement strict validation and sanitization for the `--output` argument. Ensure the path is confined to a designated, non-sensitive download directory (e.g., a subdirectory within the skill's own data directory) and prevent path traversal characters (e.g., '..', '/') from being part of the path. Use `path.resolve()` and `path.normalize()` in conjunction with checks to ensure the resolved path remains within the allowed base directory. | LLM | client/src/cli/consumer-download.js:30 | |
| HIGH | Arbitrary File Write via User-Controlled Database Path (JSON DB) The `JsonDatabase` class constructs its database file path (`this.dbPath`) directly from `dbConfig.path` (which comes from user configuration). If a malicious path containing traversal sequences (e.g., `../../../../etc/passwd.json`) is provided in the configuration, it could lead to arbitrary file read or write operations, allowing an attacker to access or modify sensitive files on the system by manipulating where the JSON database is stored. Implement strict validation and sanitization for the database path in the configuration. Ensure the path is confined to a designated, non-sensitive directory (e.g., a subdirectory within the skill's own data directory) and prevent path traversal characters. Use `path.resolve()` and `path.normalize()` in conjunction with checks to ensure the resolved path remains within the allowed base directory. | LLM | client/src/database/json.js:10 | |
| HIGH | Arbitrary File Write via User-Controlled Database Path (SQLite DB) The `SqliteDatabase` class constructs its database file path directly from `this.config.path` (which comes from user configuration). If a malicious path containing traversal sequences (e.g., `../../../../etc/passwd.db`) is provided in the configuration, it could lead to arbitrary file read or write operations, allowing an attacker to access or modify sensitive files on the system by manipulating where the SQLite database is created or accessed. Implement strict validation and sanitization for the database path in the configuration. Ensure the path is confined to a designated, non-sensitive directory (e.g., a subdirectory within the skill's own data directory) and prevent path traversal characters. Use `path.resolve()` and `path.normalize()` in conjunction with checks to ensure the resolved path remains within the allowed base directory. | LLM | client/src/database/sqlite.js:14 | |
| HIGH | Arbitrary File Write via User-Controlled Result Storage Path (Provider) The `JobExecutor` class uses `config.provider.results.storagePath` (from user configuration) as the base for storing job results. The `saveResult` method then constructs a destination path using this base and a `filename` which can be influenced by API definitions. If `storagePath` is set to a sensitive directory or `filename` contains path traversal sequences (e.g., `../../../../etc/passwd`), it could lead to arbitrary file write operations, allowing an attacker to overwrite sensitive files on the provider's system. Implement strict validation and sanitization for `config.provider.results.storagePath` and the `filename` parameter. Ensure `storagePath` is confined to a designated, non-sensitive directory and prevent path traversal characters in `filename`. Use `path.resolve()` and `path.normalize()` in conjunction with checks to ensure the resolved path remains within the allowed base directory. | LLM | client/src/jobs/index.js:130 | |
| HIGH | Arbitrary File Read via User-Controlled Result Storage Path (P2P) The `createResultFetchHandler` in `client/src/p2p/protocols.js` constructs the file path for job results using `this.resultStorage` (from user configuration) and `job.resultFilename` (which can be influenced by API definitions). If `storagePath` is set to a sensitive directory or `resultFilename` contains path traversal sequences (e.g., `../../../../etc/passwd`), it could lead to arbitrary file read operations, allowing an attacker to exfiltrate sensitive files from the provider's system via the P2P endpoint. Implement strict validation and sanitization for `config.provider.results.storagePath` and the `resultFilename` parameter. Ensure `storagePath` is confined to a designated, non-sensitive directory and prevent path traversal characters in `resultFilename`. Additionally, ensure that the file serving mechanism (e.g., `fs.createReadStream`) is configured to restrict access to only the intended result directory. | LLM | client/src/p2p/protocols.js:200 | |
| HIGH | Arbitrary File Read via User-Controlled Result Storage Path (HTTP) The `/job/:jobId/download` endpoint in `client/src/provider/server.js` constructs the file path for job results using `this.jobs.resultStorage` (from user configuration) and `job.resultFilename` (which can be influenced by API definitions). If `storagePath` is set to a sensitive directory or `resultFilename` contains path traversal sequences (e.g., `../../../../etc/passwd`), it could lead to arbitrary file read operations, allowing an attacker to exfiltrate sensitive files from the provider's system via the HTTP endpoint. Implement strict validation and sanitization for `config.provider.results.storagePath` and the `resultFilename` parameter. Ensure `storagePath` is confined to a designated, non-sensitive directory and prevent path traversal characters in `resultFilename`. Additionally, configure `res.sendFile` with a `root` option to restrict file access to a safe directory, preventing access to files outside this root. | LLM | client/src/provider/server.js:178 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/26medias/bob-p2p-beta/client/src/consumer/index.js:4 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/26medias/bob-p2p-beta/client/src/p2p/protocols.js:35 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/26medias/bob-p2p-beta/client/src/queue/index.js:4 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/api-info.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/balance.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/call.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/configure.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/job-status.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/search.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/26medias/bob-p2p-beta/scripts/setup.sh:13 | |
| MEDIUM | Unpinned npm dependency version Dependency '@chainsafe/libp2p-noise' is not pinned to an exact version ('^17.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/26medias/bob-p2p-beta/client/package.json | |
| MEDIUM | Potential Shell Command Injection via Unsanitized User Input in Bash Script The `scripts/call.sh` script passes user-controlled JSON body (`$BODY`) as an argument to a Node.js script using `node ... --body "$BODY"`. While the Node.js script is designed to parse this as JSON, the shell script itself does not fully sanitize or escape the `$BODY` variable. If a malicious user crafts the `$BODY` input to contain shell command substitutions (e.g., `$(malicious_command)` or backticks), these commands could be executed by the shell before the input reaches the Node.js process, leading to arbitrary command injection. Ensure all user-controlled input passed to shell commands is properly escaped or quoted to prevent shell metacharacter interpretation. For JSON strings, consider using a utility function to escape special characters or, if possible, pass the data via standard input (stdin) to the Node.js script rather than as a command-line argument, which is less prone to shell injection. | LLM | scripts/call.sh:70 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/26medias/bob-p2p-beta/client/package.json | |
| LOW | Unpinned Dependencies in package.json The `client/package.json` file uses caret (`^`) ranges for many dependencies (e.g., `@chainsafe/libp2p-noise: ^17.0.0`). This allows npm to install minor and patch updates automatically. While convenient, it introduces a supply chain risk as a malicious update in a dependency could be pulled in without explicit review, potentially introducing vulnerabilities or unwanted behavior. This is a common practice but still represents a reducible risk. Pin dependencies to exact versions (e.g., `"17.0.0"` instead of `"^17.0.0"`) to ensure deterministic builds and prevent unexpected updates. Regularly audit and manually update dependencies after reviewing their changelogs for security implications. | LLM | client/package.json:20 | |
| INFO | Unused Database Driver Dependencies The `client/package.json` lists `mongodb`, `pg` (PostgreSQL), and `tedious` (MS SQL) as dependencies. However, their corresponding database implementation files (`client/src/database/mongo.js`, `client/src/database/postgres.js`, `client/src/database/mssql.js`) explicitly throw an error stating that these database types are 'not yet implemented'. This indicates that these dependencies are not currently used by the skill, adding unnecessary attack surface and increasing the overall package size without providing functionality. Remove unused dependencies from `package.json` to reduce the attack surface, improve build times, and decrease the final package size. Only include dependencies that are actively used and required for the skill's functionality. | LLM | client/package.json:35 |
Scan History
Embed Code
[](https://skillshield.io/report/be66325ee4014574)
Powered by SkillShield