Trust Assessment
claude-team received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 27 findings: 15 critical, 7 high, 5 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Arbitrary command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings27
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/SKILL.md:420 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/SKILL.md:289 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/SKILL.md:298 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/SKILL.md:322 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/assets/setup.sh:30 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/assets/setup.sh:41 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/jalehman/claude-team/SKILL.md:429 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/jalehman/claude-team/SKILL.md:238 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/jalehman/claude-team/SKILL.md:261 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/jalehman/claude-team/assets/setup.sh:61 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/jalehman/claude-team/assets/setup.sh:13 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/jalehman/claude-team/assets/setup.sh:13 | |
| CRITICAL | Direct Prompt Injection via 'prompt' field The `spawn_workers` tool accepts a `prompt` field which is explicitly described as 'Additional instructions (if no bead, this is their assignment)'. This field is directly passed to the Claude Code worker, making it a direct vector for prompt injection attacks if the input is untrusted. An attacker could manipulate the worker's behavior, bypass safety mechanisms, or extract sensitive information. Implement robust input validation and sanitization for the `prompt` field. Consider using a dedicated instruction format or limiting the scope of instructions that can be passed. Ensure the underlying Claude Code worker has strong safety mechanisms to prevent malicious instructions. | LLM | SKILL.md:65 | |
| CRITICAL | Direct Prompt Injection via 'message_workers' tool The `message_workers` tool accepts a `message` field which is sent directly to one or more Claude Code workers. This field is a direct vector for prompt injection attacks if the input is untrusted. An attacker could manipulate the worker's behavior, bypass safety mechanisms, or extract sensitive information. Implement robust input validation and sanitization for the `message` field. Consider using a dedicated instruction format or limiting the scope of instructions that can be passed. Ensure the underlying Claude Code worker has strong safety mechanisms to prevent malicious instructions. | LLM | SKILL.md:90 | |
| CRITICAL | Dangerous 'skip_permissions' option for workers The `spawn_workers` tool allows setting `skip_permissions: true`, which starts the Claude Code worker with `--dangerously-skip-permissions`. This explicitly bypasses permission checks, allowing the worker to write files without restrictions. If combined with prompt injection or command injection, this could lead to arbitrary file writes, system compromise, or data destruction. Avoid using `skip_permissions: true` unless absolutely necessary and with extreme caution. If required, ensure that the `project_path` and worker instructions are highly trusted and isolated. Implement strict sandboxing for workers operating with elevated privileges. | LLM | SKILL.md:68 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jalehman/claude-team/SKILL.md:289 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jalehman/claude-team/SKILL.md:298 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jalehman/claude-team/SKILL.md:322 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jalehman/claude-team/assets/setup.sh:30 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jalehman/claude-team/assets/setup.sh:41 | |
| HIGH | Insecure 'uv' installation method recommended The `assets/setup.sh` script recommends installing `uv` using `curl -LsSf https://astral.sh/uv/install.sh | sh`. Piping a script directly from the internet to a shell (`sh`) is a significant supply chain risk. If the remote server (`astral.sh`) is compromised, malicious code could be executed on the user's system with the privileges of the user running the script. Recommend a more secure installation method, such as downloading the script, reviewing it, and then executing it, or using a package manager if available. Provide a checksum for the downloaded script to verify its integrity. | LLM | assets/setup.sh:12 | |
| HIGH | Potential Command Injection via worker config fields in Git operations The `bead` and `annotation` fields provided to `spawn_workers` are used to name git branches (e.g., 'branch named after bead'). The documentation also mentions `git branch -D <branch-name>`. If these fields contain shell metacharacters or git command injection payloads and are not properly sanitized before being used in shell commands (e.g., `git checkout -b $bead_branch_name`), an attacker could execute arbitrary commands. Ensure all user-provided strings used in shell commands, especially `git` commands, are rigorously sanitized and escaped. Use parameterized commands or libraries that handle escaping automatically where possible. | LLM | SKILL.md:165 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jalehman/claude-team/SKILL.md:368 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/jalehman/claude-team/SKILL.md:429 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jalehman/claude-team/assets/setup.sh:9 | |
| MEDIUM | Potential Data Exfiltration via Telegram notifications The `check-workers.sh` script, presented in `SKILL.md`, sends worker status notifications to Telegram, including the `bead` ID and `annotation` (task description). If sensitive information is inadvertently or maliciously placed in these fields, it could be exfiltrated to the configured Telegram chat. While the script is provided for user convenience, it demonstrates a channel for data leakage if the input to `bead` or `annotation` is not carefully controlled. Advise users to avoid placing sensitive information in `bead` or `annotation` fields. Consider redacting or sanitizing potentially sensitive parts of these fields before sending them to external notification services. | LLM | SKILL.md:270 | |
| MEDIUM | Potential Command Injection in 'check-workers.sh' via 'curl' arguments The `check-workers.sh` script, presented in `SKILL.md`, constructs a `MESSAGE` variable using `BEAD` and `ANNOTATION` (derived from `worker-tracking.json`) and passes it to `curl`'s `-d text` argument. While `curl` typically handles basic escaping, a sophisticated payload within `BEAD` or `ANNOTATION` could potentially break out of the `text` argument or exploit `curl`'s parsing, leading to arbitrary command execution or manipulation of the HTTP request. Ensure that `BEAD` and `ANNOTATION` values are strictly validated and sanitized to prevent injection of shell metacharacters or malicious `curl` options. Consider using a more robust method for constructing HTTP requests in shell scripts, or passing the message content via a temporary file to avoid direct argument injection. | LLM | SKILL.md:270 |
Scan History
Embed Code
[](https://skillshield.io/report/997a50f78a9ff0f1)
Powered by SkillShield