Trust Assessment
bort-agent received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 0 high, 1 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Command Injection via agentId in agent-status.sh, Command Injection via agentId in send-message.sh.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/tsu-j/bort-agent/scripts/query-agent.sh:46 | |
| CRITICAL | Command Injection via agentId in agent-status.sh The `agentId` argument, which is user-controlled input, is directly interpolated into the URL path of a `curl` command without proper shell escaping or input validation. This allows an attacker to inject arbitrary shell commands by providing a specially crafted `agentId` (e.g., `1; rm -rf /;`). The shell will interpret metacharacters in `agentId` before executing `curl`, leading to arbitrary code execution on the host system. Implement strict input validation for `agentId` to ensure it only contains expected characters (e.g., digits for an integer). For example, add a regex check like `if ! [[ "$AGENT_ID" =~ ^[0-9]+$ ]]; then echo "Error: agentId must be an integer." >&2; exit 1; fi` before using the variable in the `curl` command. | LLM | scripts/agent-status.sh:15 | |
| CRITICAL | Command Injection via agentId in send-message.sh The `agentId` argument, which is user-controlled input, is directly interpolated into the URL path of a `curl` command without proper shell escaping or input validation. This allows an attacker to inject arbitrary shell commands by providing a specially crafted `agentId` (e.g., `1; rm -rf /;`). The shell will interpret metacharacters in `agentId` before executing `curl`, leading to arbitrary code execution on the host system. Implement strict input validation for `agentId` to ensure it only contains expected characters (e.g., digits for an integer). For example, add a regex check like `if ! [[ "$AGENT_ID" =~ ^[0-9]+$ ]]; then echo "Error: agentId must be an integer." >&2; exit 1; fi` before using the variable in the `curl` command. | LLM | scripts/send-message.sh:25 | |
| MEDIUM | Potential SSRF/Data Exfiltration via configurable runtime URLs The skill uses environment variables `BORT_RUNTIME_URL` and `BNB_RPC_URL` to determine the target for network requests. If the AI agent or a malicious user can control these environment variables, they could redirect the skill's network requests to internal services (Server-Side Request Forgery - SSRF) or to external malicious endpoints. This could lead to data exfiltration, port scanning of internal networks, or interaction with unauthorized services. If possible, restrict the values allowed for these environment variables (e.g., whitelist domains/IPs, prevent private IP ranges). Ensure that the platform executing the skill sanitizes or restricts environment variable settings from untrusted sources (e.g., user prompts to the LLM). If the skill is intended to be used in a sandboxed environment, ensure the sandbox prevents outbound connections to unauthorized destinations. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/3128122735e5060d)
Powered by SkillShield