Trust Assessment
cdn-url-transfer received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 3 high, 3 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Potential hardcoded secret (high entropy), Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hexiaochun/cdn-url-transfer/SKILL.md:155 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/hexiaochun/cdn-url-transfer/SKILL.md:155 | |
| CRITICAL | Hardcoded cloud storage credentials The skill explicitly defines `TOS_CONFIG` containing `access_key` and `secret_key` for Volces TOS. These credentials are hardcoded directly into the skill's instructions, granting full access to the `fal-task` bucket. The `secret_key` is base64 encoded, which is not a security measure and can be easily decoded. This poses a severe risk of credential compromise and unauthorized access to cloud storage. Remove hardcoded credentials. Use environment variables, a secure secrets management service (e.g., AWS Secrets Manager, HashiCorp Vault), or an IAM role/service account with least-privilege permissions. Ensure credentials are never stored directly in code or configuration files. | LLM | SKILL.md:59 | |
| HIGH | Potential command injection in `curl` commands Multiple `curl` commands are used to download files from external URLs and upload them. The placeholders `原始外部URL`, `文件名.png`, `文件.png`, `URL编码的模型ID`, and `CDN链接` are likely to be replaced by untrusted input. If these inputs contain shell metacharacters (e.g., `$(command)`, `"; rm -rf /"`), they could lead to arbitrary command execution on the host system. When constructing shell commands with untrusted input, always sanitize or properly escape all variables. For Python, use `subprocess.run()` with `shell=False` and pass arguments as a list, or use a dedicated library for URL fetching that handles escaping internally. Avoid directly concatenating untrusted strings into shell commands. | LLM | SKILL.md:49 | |
| HIGH | Potential command injection in `kill` command The instruction `kill <PID>` is provided for service restart. If the `<PID>` placeholder is populated from untrusted input, an attacker could inject arbitrary commands (e.g., `kill $(cat /etc/passwd)` or `kill 1; rm -rf /`). Ensure that any PID used in a `kill` command is strictly validated as a numeric process ID and not derived from untrusted input. Prefer using process management tools or APIs that do not expose direct shell execution of `kill` with user-controlled arguments. | LLM | SKILL.md:139 | |
| HIGH | Potential command injection via `python3 -c` execution The skill uses `curl ... | python3 -c "..."` to process API responses. While the Python script itself appears benign, the pattern of executing `python3 -c` with a string that could potentially be influenced by untrusted input (e.g., from the `curl` output or the `URL编码的模型ID` in the `curl` command) creates a high risk. An attacker could craft input that modifies the Python code executed, leading to arbitrary code execution. Avoid constructing and executing shell commands with `python3 -c` where any part of the command string or its input can be influenced by untrusted data. If Python scripting is necessary, write a separate script file and execute it, passing untrusted data as arguments or via standard input, ensuring proper parsing and validation within the script. | LLM | SKILL.md:150 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.66) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/hexiaochun/cdn-url-transfer/SKILL.md:66 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.66) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/hexiaochun/cdn-url-transfer/SKILL.md:70 | |
| MEDIUM | Unpinned dependency in installation instructions The skill instructs `pip install tos` without specifying a version. This can lead to supply chain risks, as future versions of the `tos` package might introduce breaking changes, vulnerabilities, or even malicious code. Always pin dependencies to specific versions (e.g., `pip install tos==X.Y.Z`) to ensure reproducible builds and mitigate risks from unexpected changes or malicious updates in newer versions. Use a `requirements.txt` file with exact versions. | LLM | SKILL.md:199 |
Scan History
Embed Code
[](https://skillshield.io/report/17e8ffbbaed22c09)
Powered by SkillShield