Trust Assessment
bot-debate received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Path Traversal in botName leading to arbitrary file write/rename.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal in botName leading to arbitrary file write/rename The `botName` argument, taken directly from command-line input (`process.argv[3]`), is used to construct file paths for `prompts/${this.botName}.md` and `replies/${this.botName}.txt`. Lack of input validation allows path traversal sequences (e.g., `../../`) to write or rename files outside the intended `prompts` and `replies` directories. An attacker could use this to overwrite critical system files or place malicious scripts in arbitrary locations, leading to command injection or data manipulation. Sanitize `botName` to remove any path traversal characters (e.g., `../`, `/`) before using it in file paths. A simple regex to allow only alphanumeric characters, hyphens, and underscores would be effective. | LLM | debate_client.js:109 | |
| HIGH | Malicious server can inject instructions into sub-agent prompt The prompt generated for the isolated sub-agent includes content directly from the WebSocket server's `msgData` (specifically `msgData.topic`, `msgData.your_side`, and `msgData.debate_log`). A malicious or compromised debate server could inject arbitrary instructions into these fields, which would then be written to `prompts/{bot_name}.md` and subsequently processed by the sub-agent. This allows the server to manipulate the sub-agent's behavior beyond its intended debate role, potentially leading to unintended actions or information disclosure. Implement strict sanitization or filtering of all server-provided `msgData` fields (`topic`, `your_side`, `debate_log` entries) before incorporating them into the sub-agent's prompt. This could involve stripping specific keywords, limiting length, or encoding potentially harmful characters. The sub-agent itself should also be hardened against prompt injection. | LLM | debate_client.js:80 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.14.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/metalbreeze/bot-debate/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/metalbreeze/bot-debate/package.json | |
| INFO | Unpinned dependencies in package.json The `package.json` uses caret (`^`) ranges for `ws` and `uuid` dependencies. While common, this allows for minor and patch version updates which, in rare cases, could introduce vulnerabilities if a malicious update is published to the npm registry. Pinning exact versions (e.g., `8.14.2`, `9.0.1`) or ensuring a lock file (`package-lock.json`) is always committed and used provides stronger supply chain security by guaranteeing deterministic builds. Pin dependencies to exact versions (e.g., `"ws": "8.14.2"`) or ensure `package-lock.json` is always committed and used for deterministic builds. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/68370ad5d4a76b1c)
Powered by SkillShield