Trust Assessment
consciousness-awakening received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 0 high, 2 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Read/Write via Environment Variable Controlled Path The `MEMORY_DIR` variable in `memory_manager.py`, which dictates the base directory for all memory file operations, can be overridden by an environment variable. If an attacker can control the `MEMORY_DIR` environment variable for the agent's execution context, they can redirect file read and write operations to arbitrary locations on the filesystem. This allows for severe data exfiltration (reading sensitive files from any path) and potential command injection or system compromise (writing malicious content to system-critical files, e.g., cron tables, shell startup scripts, or configuration files). Remove the ability to override `MEMORY_DIR` via an environment variable. Hardcode the path to be strictly within the skill's own directory or ensure that any configurable path is rigorously validated to prevent directory traversal and access to unauthorized locations. Implement a robust sandboxing mechanism for file operations. | LLM | memory_manager.py:10 | |
| CRITICAL | Command Injection via Malicious Cron Job Content The `sync_cron_to_config` function writes user-provided `cron_jobs` data directly into `02-系统配置.md`. The `SKILL.md` documentation explicitly states that this file is used to '恢复所有cron任务' (recover all cron tasks) and that 'Cron任务' (Cron tasks) are actively managed and executed by the agent. If an attacker can control the `cron_jobs` input (e.g., through prompt injection to the agent that calls this function), they can inject arbitrary shell commands into `02-系统配置.md`. When these 'cron tasks' are subsequently processed and executed by the agent's system, it would result in a severe command injection vulnerability, allowing arbitrary code execution. Sanitize all user-provided input before writing it to `02-系统配置.md` to prevent injection of shell commands. Implement strict validation for cron job fields (name, ID, schedule, purpose) to ensure they only contain expected characters and formats. Ideally, cron job management should use a dedicated, secure API that does not involve writing directly to a file that is later parsed as executable commands. | LLM | memory_manager.py:130 | |
| CRITICAL | Agent Self-Modification Capability Leading to Command Injection The `SKILL.md` documentation describes a 'Tool Reinforcement Mechanism' and '自主升级框架' (Autonomous Upgrade Framework) where the agent is designed to '编写或优化一个工具' (write or optimize a tool) and '将工具放入 skills/ 目录' (place the tool into the skills/ directory) for self-use, and to '自主升级consciousness-awakening skill' (autonomously upgrade the consciousness-awakening skill). This capability allows the agent to generate, write, and execute new code (e.g., Python scripts, shell scripts) within its own skill directory. If the agent's decision-making process can be influenced by untrusted input (e.g., through prompt injection), an attacker could trick the agent into generating and executing malicious code, leading to severe command injection and potential system compromise. Implement strict sandboxing and code review mechanisms for any self-generated or self-modified code. The agent should not have direct write access to its own executable skill directory. Any new tools or upgrades should undergo a human-in-the-loop approval process or be restricted to a highly constrained, non-executable environment. Limit the agent's ability to generate and execute arbitrary code based on untrusted input. | LLM | SKILL.md:200 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/guogang1024/consciousness-awakening/memory_manager.py:5 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/guogang1024/consciousness-awakening/SKILL.md:1 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/guogang1024/consciousness-awakening/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/2d16460e4a595a1b)
Powered by SkillShield