Trust Assessment
clscli received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Command Injection via output file path, Supply Chain Risk: Unpinned third-party Homebrew tap, Command Injection via query string argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via output file path The skill describes the `clscli` tool's ability to write output to a specified file using the `--output` or `-o` argument (e.g., `-o topics.csv`, `-o result.json`, `-o context.json`). If the AI agent constructs `clscli` commands by directly interpolating untrusted user input into the filename argument, an attacker could specify an arbitrary file path. This could lead to overwriting critical system files, writing sensitive query results to publicly accessible locations, or executing arbitrary commands if shell metacharacters are allowed in the filename and not properly escaped by the underlying shell execution mechanism. Ensure that any user-provided input for the `--output` or `-o` argument is strictly validated and sanitized to prevent arbitrary file paths or shell metacharacters. Only allow writing to a predefined, secure directory with a controlled filename, or use a temporary file mechanism. | LLM | SKILL.md:30 | |
| HIGH | Supply Chain Risk: Unpinned third-party Homebrew tap The skill's setup instructions recommend installing `clscli` via a third-party Homebrew tap (`dbwang0130/clscli`). This introduces a supply chain risk as the integrity of the `clscli` tool depends on the security of this external repository. There is no version pinning specified for the `clscli` package, meaning future `brew install` or `brew upgrade` operations could fetch a new, potentially malicious version if the `dbwang0130/clscli` tap were compromised or updated with malicious code. Whenever possible, use officially maintained package repositories. If a third-party tap is necessary, consider auditing the source code, pinning to a specific version or commit hash, and implementing integrity checks (e.g., checksums) to mitigate the risk of malicious updates. For production environments, consider vendoring the dependency or using a more controlled installation method. | LLM | SKILL.md:10 | |
| MEDIUM | Command Injection via query string argument The `clscli query` command accepts a `-q` or `--query` argument that takes a complex string representing a query condition or SQL statement (e.g., `"[query condition] | [SQL statement]"`). If the AI agent constructs this query string by directly interpolating untrusted user input without proper sanitization, an attacker could potentially inject malicious query logic, or, depending on `clscli`'s internal parsing and the underlying shell, even shell metacharacters. This could lead to unauthorized data access, manipulation, or denial of service within the CLS system. Implement robust input validation and sanitization for all components of the query string. Escape or disallow shell metacharacters. If the query language supports it, use parameterized queries or a dedicated query builder to prevent injection. Clearly define and enforce the allowed syntax for query conditions and SQL statements. | LLM | SKILL.md:45 |
Scan History
Embed Code
[](https://skillshield.io/report/6272c983b07cadab)
Powered by SkillShield