Trust Assessment
concierge received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `concierge call` arguments, Credential and PII Exposure via config and logs, Excessive Permissions and Network Exposure via `ngrok` integration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via `concierge call` arguments The `concierge call` command takes multiple string arguments such as `--goal`, `--name`, `--email`, `--customer-phone`, and `--context`. The skill description states that the tool "starts `ngrok` + call server automatically" when needed. This implies that the `concierge` tool executes shell commands internally to manage this infrastructure. If these user-provided arguments are not properly sanitized or escaped before being incorporated into internal shell commands (e.g., when invoking `ngrok` or the call server), an attacker could inject arbitrary shell commands, leading to remote code execution on the host system. Implement robust input sanitization and validation for all arguments passed to internal shell commands. Use parameterized commands or ensure all user-provided strings are properly escaped to prevent shell metacharacter interpretation. | LLM | SKILL.md:19 | |
| CRITICAL | Excessive Permissions and Network Exposure via `ngrok` integration The `concierge call` command automatically starts `ngrok` to expose a local call server to the internet. While a described feature, this creates an internet-facing endpoint on the user's local machine. This grants the skill broad network exposure capabilities. If the local call server or the `concierge` tool itself has any vulnerabilities, this `ngrok` tunnel could be exploited by external attackers to gain unauthorized access to the host system or internal network, leading to severe compromise. Implement robust security hardening for the local call server, including input validation, authentication, and authorization. Consider making `ngrok` activation an explicit user action rather than automatic, or provide clear warnings about the security implications. Ensure the exposed service is minimal, sandboxed, and follows the principle of least privilege. | LLM | SKILL.md:28 | |
| HIGH | Credential and PII Exposure via config and logs 1. **Credential Harvesting**: The skill instructs users to configure sensitive API keys and tokens (e.g., `twilioAuthToken`, `deepgramApiKey`, `anthropicApiKey`, `ngrokAuthToken`) using `concierge config set`. The command `concierge config show` is provided to "Check values". If this command outputs the raw credentials to standard output, an LLM with access to the tool's output could harvest these secrets.
2. **Data Exfiltration**: The `concierge call` command accepts Personally Identifiable Information (PII) such as `--name`, `--email`, and `--customer-phone`. The skill also states that server/ngrok logs are written to `~/.config/concierge/call-runs/<run-id>/`. If these logs contain PII or other sensitive call context in plain text, and an LLM has filesystem access, this could lead to data exfiltration. For `concierge config show`, redact sensitive values by default (e.g., show `*****`) and require an explicit flag (e.g., `--reveal`) to display raw credentials. Ensure logs are properly secured, do not contain sensitive PII or credentials in plain text, or implement strict access controls for log files to prevent unauthorized access. | LLM | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/cd6dc54b1a4e6df9)
Powered by SkillShield