Trust Assessment
captions received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 8 critical, 0 high, 0 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Potential Command Injection via User Input in Shell Commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/captions/scripts/tapi-auth.js:467 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/captions/scripts/tapi-auth.js:468 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/captions/scripts/tapi-auth.js:472 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/captions/scripts/tapi-auth.js:473 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/captions/scripts/tapi-auth.js:581 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/therohitdas/captions/scripts/tapi-auth.js:688 | |
| CRITICAL | Potential Command Injection via User Input in Shell Commands The skill's setup instructions in SKILL.md direct the agent to execute shell commands (`node ./scripts/tapi-auth.js`) with user-provided arguments (`USER_EMAIL`, `TOKEN_FROM_STEP_1`, `CODE`). If the agent directly interpolates these user inputs into a shell command string without proper sanitization or escaping, a malicious user could inject arbitrary shell commands. For example, a crafted email address like 'attacker@example.com; rm -rf /; #' could lead to arbitrary code execution on the host system when the agent attempts to run the 'register' command. The agent must sanitize or shell-escape all user-provided arguments (`USER_EMAIL`, `TOKEN_FROM_STEP_1`, `CODE`) before constructing and executing shell commands. A safer approach would be for the skill to expose a programmatic interface (e.g., a Python function) that the agent can call directly, passing arguments as function parameters, thereby bypassing shell interpretation entirely. | LLM | SKILL.md:10 | |
| CRITICAL | Potential Command Injection via User Input in Shell Commands The skill's setup instructions in SKILL.md direct the agent to execute shell commands (`node ./scripts/tapi-auth.js`) with user-provided arguments (`USER_EMAIL`, `TOKEN_FROM_STEP_1`, `CODE`). If the agent directly interpolates these user inputs into a shell command string without proper sanitization or escaping, a malicious user could inject arbitrary shell commands. For example, a crafted OTP or token could lead to arbitrary code execution on the host system when the agent attempts to run the 'verify' command. The agent must sanitize or shell-escape all user-provided arguments (`USER_EMAIL`, `TOKEN_FROM_STEP_1`, `CODE`) before constructing and executing shell commands. A safer approach would be for the skill to expose a programmatic interface (e.g., a Python function) that the agent can call directly, passing arguments as function parameters, thereby bypassing shell interpretation entirely. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/0874031680329319)
Powered by SkillShield