Trust Assessment
bot-status-api received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 11 critical, 1 high, 0 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/suspect80/bot-status-api/server.js:149 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/suspect80/bot-status-api/collectors/devservers.js:5 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/suspect80/bot-status-api/collectors/email.js:6 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/suspect80/bot-status-api/collectors/services.js:6 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/suspect80/bot-status-api/collectors/skills.js:7 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/suspect80/bot-status-api/collectors/system.js:7 | |
| CRITICAL | Command Injection via `config.devServers.processGrep` The `collectors/devservers.js` module constructs a shell command using `ps aux | grep '${grep}' ...` where the `grep` variable is taken from `config.devServers.processGrep`. Although single-quoted, a malicious string containing a single quote (e.g., `foo' ; evil_command ; echo 'bar`) can break out of the quotes and inject arbitrary shell commands, leading to remote code execution. Avoid direct string concatenation for shell commands. Use `child_process.spawn` with an array of arguments, or if `exec` must be used, ensure all user-controlled input is rigorously escaped for shell metacharacters (e.g., using a library like `shell-quote` or `shlex.quote` for Python equivalents) before interpolation. | LLM | collectors/devservers.js:17 | |
| CRITICAL | Command Injection via `config.email[].command` The `collectors/email.js` module directly executes the `acct.command` string, which is sourced from `config.email[].command`. This allows an attacker who can modify the `config.json` file to inject and execute arbitrary shell commands on the system, leading to remote code execution. Avoid direct string concatenation for shell commands. Use `child_process.spawn` with an array of arguments, or if `exec` must be used, ensure all user-controlled input is rigorously escaped for shell metacharacters (e.g., using a library like `shell-quote` or `shlex.quote` for Python equivalents) before interpolation. | LLM | collectors/email.js:30 | |
| CRITICAL | Command Injection via `config.services[].command` The `collectors/services.js` module directly executes the `svc.command` string within the `checkCommand` function, which is sourced from `config.services[].command`. This allows an attacker who can modify the `config.json` file to inject and execute arbitrary shell commands on the system, leading to remote code execution. Avoid direct string concatenation for shell commands. Use `child_process.spawn` with an array of arguments, or if `exec` must be used, ensure all user-controlled input is rigorously escaped for shell metacharacters (e.g., using a library like `shell-quote` or `shlex.quote` for Python equivalents) before interpolation. | LLM | collectors/services.js:48 | |
| CRITICAL | Command Injection via `config.services[].path` The `collectors/services.js` module constructs a shell command `ls ${svc.path} 2>/dev/null` within the `checkFileExists` function, where `svc.path` is sourced from `config.services[].path`. This allows an attacker who can modify the `config.json` file to inject arbitrary shell commands (e.g., `'; rm -rf /;'`) by providing a malicious path, leading to remote code execution. Avoid direct string concatenation for shell commands. Use `child_process.spawn` with an array of arguments, or if `exec` must be used, ensure all user-controlled input is rigorously escaped for shell metacharacters (e.g., using a library like `shell-quote` or `shlex.quote` for Python equivalents) before interpolation. For checking file existence, `fs.access` is sufficient and safer than `ls`. | LLM | collectors/services.js:56 | |
| CRITICAL | Command Injection via `SKILL.md` 'bins' frontmatter The `collectors/skills.js` module reads `SKILL.md` files, extracts `requiredBins` from their frontmatter, and then executes `which ${b}` for each bin. If a malicious `SKILL.md` is installed, it can specify a bin name like `'; evil_command ;'` which will be directly interpolated into the `which` command, leading to arbitrary shell command execution. Avoid direct string concatenation for shell commands. When checking for binary existence, use `child_process.spawn` with `['which', b]` as arguments, or ensure `b` is rigorously escaped for shell metacharacters before interpolation into the command string. | LLM | collectors/skills.js:48 | |
| HIGH | TLS Certificate Validation Disabled The skill explicitly disables TLS certificate validation globally by setting `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'`. This makes all HTTPS connections vulnerable to man-in-the-middle (MITM) attacks, allowing an attacker to intercept, read, and modify encrypted traffic. This can lead to data exfiltration, credential harvesting, or arbitrary code execution if the intercepted data is used to control application logic. Remove `process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';`. If specific self-signed certificates are required for certain services (e.g., Portainer, UniFi), configure a custom HTTPS agent with the trusted CA certificates for those specific connections, rather than disabling validation globally. | LLM | server.js:10 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/suspect80/bot-status-api/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/41f3813cce06d079)
Powered by SkillShield