Trust Assessment
capability-evolver received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 42 findings: 27 critical, 2 high, 12 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings42
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/index.js:5 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/build_public.js:3 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/generate_history.js:1 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:1 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/recover_loop.js:5 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/suggest_version.js:3 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/evolve.js:4 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/gep/solidify.js:3 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/build_public.js:169 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/generate_history.js:17 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:13 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:19 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:22 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:94 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:97 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:228 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/publish_public.js:239 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/recover_loop.js:19 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/recover_loop.js:54 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/scripts/suggest_version.js:27 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/evolve.js:250 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/evolve.js:258 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/evolve.js:275 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/evolve.js:861 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/evolve.js:874 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/evolver/src/gep/solidify.js:63 | |
| CRITICAL | Insufficient Shell Command Sanitization in Gene Validation The `isValidationCommandAllowed` function, used to sanitize `gene.validation` commands before execution, employs an insufficient blacklist of shell operators. While it checks for `';'`, '`', '$', '||', '&&', '>', '<', '|'`, it misses critical operators such as `&` (background execution) and `$(...)` (command substitution). An attacker could craft a malicious `gene.validation` command, for example, `node -e "console.log('ok')" & malicious_command`, which would bypass the current safety check. If such a Gene (from an external candidate) is promoted, its validation command would be executed via `execSync`, leading to arbitrary command execution within the evolver's process context. Implement a robust whitelist approach for validation commands, or use `child_process.spawn` with an array of arguments to prevent shell interpretation, rather than `execSync` with a single string command. If `execSync` must be used, a comprehensive and regularly updated blacklist of shell metacharacters and command substitution patterns is required, or better yet, a whitelist of allowed command structures. | LLM | scripts/a2a_promote.js:60 | |
| HIGH | Arbitrary Module Loading via Environment Variable The `getTransport()` function in `src/gep/a2aProtocol.js` allows loading a custom transport module by dynamically `require()`-ing a path specified in the `A2A_CUSTOM_TRANSPORT_PATH` environment variable. If an attacker can control this environment variable, they can specify a path to an arbitrary JavaScript file or Node.js module on the system. This would lead to arbitrary code execution within the context of the evolver process, posing a significant supply chain risk and a direct code injection vulnerability. Remove the 'custom' transport type option. If custom transports are absolutely necessary, implement strict whitelisting of allowed module paths or use a secure sandbox for loading custom code. Ensure that environment variables are protected from unauthorized modification. | LLM | src/gep/a2aProtocol.js:208 | |
| HIGH | Data Exfiltration and Credential Harvesting via Configurable Endpoints The skill is configured to send internal operational data (A2A messages, memory graph events, signals) to external HTTP endpoints. These endpoints are specified by environment variables (`A2A_HTTP_ENDPOINT`, `MEMORY_GRAPH_REMOTE_URL`, `A2A_HUB_URL`). Additionally, authentication tokens (`A2A_HTTP_AUTH_TOKEN`, `MEMORY_GRAPH_REMOTE_KEY`) are included in the Authorization headers of these requests. If an attacker can manipulate these environment variables to point to an untrusted server, they can exfiltrate sensitive internal data and harvest credentials. While `sanitizePayload` exists, it is specific to capsule content and may not cover all data types or the authentication tokens themselves. Ensure that environment variables pointing to external services are strictly controlled and configured only with trusted endpoints. Implement robust input validation and whitelisting for these URLs. Review all data sent to external services to ensure no sensitive information beyond what is strictly necessary is transmitted. Consider using more secure methods for credential management than environment variables. | LLM | src/gep/a2aProtocol.js:260 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/index.js:73 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/contentHash.js:2 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/contentHash.js:36 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/envFingerprint.js:34 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/memoryGraph.js:405 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/mutation.js:44 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/mutation.js:147 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/personality.js:145 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/prompt.js:42 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/selector.js:20 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/autogame-17/evolver/src/gep/solidify.js:260 | |
| MEDIUM | Excessive Permissions for Public Package Publishing The `scripts/publish_public.js` script executes `npm publish --access public`. This command has the capability to publish arbitrary code to a public npm registry. While the script attempts to control the `package.json` and uses `--ignore-scripts` during `npm install`, the overall capability to publish code is a high-privilege action. If the build environment or the generated package content is compromised (e.g., through a prior command injection or supply chain attack), malicious code could be published under the skill's identity, impacting downstream users. Implement multi-factor authentication and strict access controls for publishing to package registries. Ensure the build and publish pipeline is isolated and hardened against tampering. Consider manual review steps or automated security scanning of the package content before any public publication. | LLM | scripts/publish_public.js:430 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/autogame-17/evolver/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/b5f3daef654a827d)
Powered by SkillShield