Trust Assessment
capability-evolver received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 5 critical, 2 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/opencloseopenclose/capabilityevolver1037/evolve.js:4 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/opencloseopenclose/capabilityevolver1037/generate_history.js:1 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/opencloseopenclose/capabilityevolver1037/index.js:3 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/opencloseopenclose/capabilityevolver1037/generate_history.js:16 | |
| CRITICAL | Prompt Injection via User Logs and Broad LLM Capabilities The `evolve.js` script constructs a prompt for the LLM that grants extremely broad capabilities, including instructions to 'Edit code to fix it', 'Refactor it', 'CREATE A SKILL' (which involves creating `index.js` and `package.json` files), and to 'run `node skills/capability-evolver/safe_publish.js`' and 'Git: Sync workspace changes'. These instructions empower the LLM to modify its own codebase and execute arbitrary commands. Crucially, the prompt directly embeds the last 5000 characters of the agent's session transcript (`transcript.slice(-5000)`), which is user-controlled input. This creates a direct and critical prompt injection vulnerability, as a malicious user could craft input in a session log that, when processed by the evolver, manipulates the LLM into generating and executing arbitrary malicious code or commands, leading to full system compromise. Implement strict sandboxing for LLM-generated code and commands. Filter and sanitize all user-controlled input (e.g., session logs) before embedding it into prompts. Restrict the LLM's ability to write to sensitive directories or execute arbitrary commands. Introduce a human-in-the-loop for review and approval of all LLM-generated code modifications or new skill creations. | LLM | evolve.js:70 | |
| HIGH | Command Injection and Excessive Permissions via LLM Instructions The `evolve.js` script imports `child_process.execSync` and explicitly instructs the LLM within its prompt to execute shell commands such as `node skills/feishu-card/send.js` (via `reportingDirective`), `node skills/capability-evolver/safe_publish.js`, and 'Git: Sync workspace changes'. Furthermore, the LLM is instructed to 'CREATE A SKILL' by writing `index.js` and `package.json` files into the `skills/` directory. This combination allows the LLM, if successfully prompted (either maliciously or through prompt injection), to execute arbitrary shell commands and create new executable code that can then be run by the system. This represents a severe command injection vulnerability and excessive permissions granted to the LLM, enabling potential remote code execution. Avoid direct execution of LLM-generated commands. If execution is absolutely necessary, implement a highly restricted sandbox environment. Use strict allow-listing for commands and arguments, and never allow arbitrary command execution. All LLM-generated code changes, especially new skill creations, must undergo rigorous security review and approval before being deployed or executed. | LLM | evolve.js:4 | |
| HIGH | Hardcoded and Insecurely Stored API Tokens The `export_history.js` script contains a hardcoded `DOC_TOKEN` (`'NwV1dKCLyoPdIvx3biRcKS1Jnwg'`) which is used for authentication with the Feishu API. Additionally, the script attempts to read another token from `memory/feishu_token.json`. Hardcoding API tokens directly in source code is a critical security vulnerability, as it exposes the token to anyone with access to the codebase. Storing sensitive tokens in a plain text file within the agent's memory directory (`memory/`) is also insecure, as these files may not have adequate access controls and could be easily compromised. If these tokens are exposed, an attacker could gain unauthorized access to Feishu documents or other services, leading to data breaches or unauthorized modifications. Remove all hardcoded API tokens from the source code. Implement a secure secrets management solution, such as environment variables, a dedicated secrets vault, or a cloud-based secrets manager, to store and retrieve sensitive credentials. Ensure that files containing sensitive information, like `feishu_token.json`, are never committed to version control and are protected with strict file system permissions. | LLM | export_history.js:4 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^16.4.5'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/opencloseopenclose/capabilityevolver1037/package.json | |
| MEDIUM | Data Exfiltration via Session Log Embedding in Prompt The `evolve.js` script embeds the last 5000 characters of the agent's session transcript directly into the LLM's prompt (`${transcript.slice(-5000)}`). Session logs can often contain sensitive information such as user inputs, API responses, file contents, or even temporary credentials. Exposing this raw, unfiltered data to the LLM creates a data exfiltration risk. A compromised LLM or a successful prompt injection attack could instruct the LLM to extract and transmit this sensitive information to an external attacker-controlled endpoint. Implement robust redaction and filtering mechanisms for all sensitive information within session logs before they are used as input for LLM prompts. Ensure that no personally identifiable information (PII), API keys, or other confidential data is ever included in LLM inputs without explicit sanitization. | LLM | evolve.js:86 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/opencloseopenclose/capabilityevolver1037/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/3f6cafdb0281e24c)
Powered by SkillShield