Trust Assessment
computer-use received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 8 critical, 3 high, 2 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, File read + network send exfiltration, Sensitive environment variable access: $USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/ram-raghav-s/computer-use/scripts/setup-vnc.sh:54 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/ram-raghav-s/computer-use/scripts/setup-vnc.sh:75 | |
| CRITICAL | Command Injection via User-Controlled Input Multiple scripts pass user-controlled arguments directly into shell commands without sufficient sanitization or quoting to prevent shell metacharacter interpretation. An attacker could inject arbitrary shell commands by crafting malicious input for parameters like 'KEY', 'DURATION', 'AMOUNT', or 'TEXT'. For example, providing input like `'; rm -rf /; #'` could lead to arbitrary code execution. Sanitize user input to remove or escape shell metacharacters. Consider using `printf %q` for robust quoting if the input is intended as a single argument, or validate input against a strict allow-list of expected values (e.g., numeric for duration, specific key names for keys). For `xdotool type`, ensure the input is treated as literal text by the shell, potentially by using a helper function that escapes special characters. | LLM | scripts/hold_key.sh:19 | |
| CRITICAL | Command Injection via User-Controlled Input The script passes a user-controlled duration directly to the `sleep` command. If the `$DURATION` variable contains shell metacharacters (e.g., `1; malicious_command`), it could lead to arbitrary command execution. Validate that `$DURATION` is a positive integer before passing it to `sleep`. For example, use a regex check or arithmetic expansion `[[ $DURATION =~ ^[0-9]+$ ]]` and `((DURATION > 0))`. | LLM | scripts/hold_key.sh:20 | |
| CRITICAL | Command Injection via User-Controlled Input The script passes a user-controlled key combination directly to `xdotool key`. If the `$KEY` variable contains shell metacharacters (e.g., `'; rm -rf /; #'`), it could lead to arbitrary command execution. Sanitize user input to remove or escape shell metacharacters. Consider validating input against a strict allow-list of expected key names or combinations. The `--` helps `xdotool` interpret it as a non-option, but the shell still processes `$KEY` for expansions. | LLM | scripts/key.sh:13 | |
| CRITICAL | Command Injection via User-Controlled Input The script passes a user-controlled amount directly to `xdotool click --repeat`. If the `$AMOUNT` variable contains shell metacharacters (e.g., `1; malicious_command`), it could lead to arbitrary command execution. Validate that `$AMOUNT` is a positive integer before passing it to `xdotool click`. For example, use a regex check or arithmetic expansion `[[ $AMOUNT =~ ^[0-9]+$ ]]` and `((AMOUNT > 0))`. | LLM | scripts/scroll.sh:37 | |
| CRITICAL | Command Injection via User-Controlled Input The script passes user-controlled text (via `$CHUNK`) directly to `xdotool type`. If the `$TEXT` variable contains shell metacharacters (e.g., `hello$(id)world`), it could lead to arbitrary command execution. Sanitize user input to remove or escape shell metacharacters. While `xdotool type` is designed for literal text, the shell processes the argument first. Consider using a method that explicitly escapes shell-significant characters in the input string before passing it to `xdotool`. | LLM | scripts/type_text.sh:20 | |
| CRITICAL | Command Injection via User-Controlled Input The script passes a user-controlled duration directly to the `sleep` command. If the `$DURATION` variable contains shell metacharacters (e.g., `1; malicious_command`), it could lead to arbitrary command execution. Validate that `$DURATION` is a positive integer before passing it to `sleep`. For example, use a regex check or arithmetic expansion `[[ $DURATION =~ ^[0-9]+$ ]]` and `((DURATION > 0))`. | LLM | scripts/wait.sh:16 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/ram-raghav-s/computer-use/scripts/setup-vnc.sh:75 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/ram-raghav-s/computer-use/scripts/setup-vnc.sh:54 | |
| HIGH | Excessive Permissions Required for Setup Script The `setup-vnc.sh` script requires `sudo` privileges to install packages, copy files to system directories, modify system configurations, and enable/start systemd services. If an AI agent is allowed to execute this script, it effectively gains root access to the host system, enabling broad system-wide modifications and potential privilege escalation. Ensure that the AI agent is never granted direct execution capabilities for scripts requiring `sudo`. If setup is necessary, it should be performed by a human administrator or through a highly restricted, audited, and sandboxed environment. Clearly document the elevated privileges required for this setup. | LLM | scripts/setup-vnc.sh:13 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ram-raghav-s/computer-use/scripts/setup-vnc.sh:13 | |
| MEDIUM | Command Injection via 'eval' on External Command Output The script uses `eval` to process the output of `xdotool getmouselocation --shell`. While `xdotool`'s `--shell` output is typically in a safe `KEY=VALUE` format, `eval` is a dangerous primitive. If `xdotool` were compromised or its output could be manipulated by an attacker (e.g., through a malicious window title), this could lead to arbitrary command injection. Avoid `eval` where possible. Instead of `eval`, parse the output of `xdotool getmouselocation` using safer methods like `awk` or `grep` to extract the `X` and `Y` values. For example: `X=$(xdotool getmouselocation --shell | grep -oP 'X=\K\d+')`. | LLM | scripts/cursor_position.sh:7 |
Scan History
Embed Code
[](https://skillshield.io/report/e45b6cdae89147dc)
Powered by SkillShield