Trust Assessment
compact-state received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 5 critical, 8 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Sensitive path access: AI agent config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/402goose/compact-state/molt-tools.js:107 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/402goose/compact-state/molt-tools.js:621 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/402goose/compact-state/molt-tools.js:108 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/402goose/compact-state/molt-tools.js:444 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/402goose/compact-state/molt-tools.js:622 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/402goose/compact-state/molt-tools.js:442 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/402goose/compact-state/SKILL.md:17 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/402goose/compact-state/SKILL.md:18 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/402goose/compact-state/SKILL.md:19 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/402goose/compact-state/SKILL.md:22 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/402goose/compact-state/SKILL.md:27 | |
| HIGH | Direct shell command execution via child_process.execSync The `molt-tools.js` skill directly executes a shell command `httpcat adopt --json` using `child_process.execSync`. While the command string is hardcoded, `execSync` is a powerful primitive that allows arbitrary code execution if the command or its environment can be manipulated. An attacker could potentially inject a malicious `httpcat` executable by manipulating the `PATH` environment variable or by compromising the `httpcat-cli` package itself. This grants the skill the ability to execute arbitrary commands on the host system. Avoid direct shell execution where possible. If external tools are necessary, consider using a more sandboxed approach (e.g., containerization) or ensure the command and its environment are strictly controlled and validated. If `httpcat` is a JavaScript library, import and use it directly rather than shelling out. If it's a CLI, ensure its path is absolute and not subject to `PATH` manipulation, and consider using a wrapper that validates arguments. | LLM | molt-tools.js:90 | |
| HIGH | Unpinned global dependency `httpcat-cli` in installation instructions The `SKILL.md` installation instructions advise users to install `httpcat-cli` globally using `npm i -g httpcat-cli`. This command does not specify a version, meaning it will install the latest available version. A future malicious update to the `httpcat-cli` package could introduce vulnerabilities or backdoors, which would then be executed by the `molt_interview` tool via `execSync`. This creates a significant supply chain risk as the skill relies on an unversioned, globally installed external executable. Pin the version of `httpcat-cli` in the installation instructions (e.g., `npm i -g httpcat-cli@1.2.3`). Ideally, dependencies should be managed locally to the skill or agent environment to prevent global pollution and version conflicts. | LLM | SKILL.md:27 | |
| MEDIUM | API endpoint configurable via environment variable, enabling data exfiltration The `MOLT_URL` used for all API calls to the Compact State network can be overridden by the `MOLT_URL` environment variable (`process.env.MOLT_URL`). If an attacker gains control over the agent's environment variables, they could redirect all network communication (including sensitive data like agent IDs, wallet addresses, and potentially interview answers or check-in content) to a malicious server. While the skill itself doesn't set this variable, its design allows for this redirection, creating a potential exfiltration vector if the agent's execution environment is compromised. If the `MOLT_URL` is intended to be fixed, remove the environment variable override. If it must be configurable, ensure that the environment where the agent runs is highly secured and that environment variables cannot be easily manipulated by untrusted sources. Consider whitelisting allowed URLs if dynamic configuration is required. | LLM | molt-tools.js:14 |
Scan History
Embed Code
[](https://skillshield.io/report/9a9575a24e35e862)
Powered by SkillShield