Trust Assessment
cross-device-sync received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 5 critical, 3 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Missing required field: name, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/coreyleung-art/cross-device-sync/index.js:57 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/coreyleung-art/cross-device-sync/index.js:65 | |
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/coreyleung-art/cross-device-sync/index.js:269 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/coreyleung-art/cross-device-sync/index.js:8 | |
| CRITICAL | Command Injection via repoUrl in git clone The `repoUrl` provided by the user is directly interpolated into `git clone` commands without proper sanitization. A malicious `repoUrl` (e.g., `https://github.com/user/repo.git"; malicious_command; #`) can inject and execute arbitrary shell commands, leading to arbitrary code execution on the host system. Sanitize `repoUrl` to ensure it only contains valid URL characters and does not include shell metacharacters. Use a dedicated Git client library or pass arguments to `git` commands in a way that prevents shell interpretation (e.g., using an array of arguments if `execa` or similar is used, or carefully escaping with `shq` or `shell-quote`). | LLM | index.js:58 | |
| HIGH | Command Injection via token in git clone URL The `token` provided by the user is directly interpolated into the `git clone` command's URL (`https://${token}@...`). If the `token` contains shell metacharacters (e.g., `my_token"; malicious_command; #`), it could lead to command injection when the `exec` function processes the command string, allowing for arbitrary code execution. Avoid embedding sensitive credentials directly into command-line arguments. Use Git's credential helper mechanism or `git config` to set credentials securely. If direct embedding is unavoidable, ensure the token is strictly URL-encoded and then shell-escaped before being passed to `exec`. | LLM | index.js:58 | |
| HIGH | Credential Exposure (GitHub PAT) via Console Echo and Process List 1. The GitHub Personal Access Token (PAT) is echoed to the console when prompted, as the `readline.question` function does not mask input. This makes the token visible to anyone observing the screen.
2. The PAT is embedded directly into the `git clone` command string, which means it will be visible in the system's process list (`ps aux`) while the command is executing. This exposes the token to other users or processes on the system. 1. Use a dedicated library for secure password input that masks characters (e.g., `read-pkg-up` or `inquirer` with `password` type). 2. Configure Git to use a credential helper (e.g., `git config credential.helper store`) or pass credentials via standard input or environment variables in a secure manner, rather than embedding them in the command line. | LLM | cli.js:35 | |
| HIGH | Command Injection in Generated Shell Scripts via GITHUB_REPO_PATH The skill generates shell scripts (`bidirectional_sync.sh`, `upload_to_github.sh`) that use the `GITHUB_REPO_PATH` variable in commands like `ls` and `find`. `GITHUB_REPO_PATH` is derived from the user-provided `repoUrl`. If the `repoName` (part of `repoUrl`) contains shell metacharacters (e.g., a double quote `"` that breaks the quoting, or a semicolon `;`), these could be injected into the shell commands when the scripts are executed, leading to arbitrary command execution. 1. Strictly validate and sanitize the `repoUrl` to ensure `repoName` only contains safe characters for a directory name, preventing any shell metacharacters. 2. When constructing shell commands, use robust escaping mechanisms for variables that contain user-derived input. | LLM | index.js:122 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/coreyleung-art/cross-device-sync/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'fs-extra' is not pinned to an exact version ('^11.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/coreyleung-art/cross-device-sync/package.json | |
| MEDIUM | Excessive Permissions and Broad Filesystem Access The skill requires and utilizes broad filesystem access, including the user's home directory (`process.env.HOME`) for storing cloned repositories and workspace data. It creates executable shell scripts (`.sh`) with `0o755` permissions. The generated scripts and the core logic use powerful commands like `rsync`, `rm -rf`, `cp -r`, and `find`. While necessary for its intended syncing purpose, this wide scope, especially when combined with the command injection vulnerabilities, significantly increases the attack surface and the potential impact of a compromise (e.g., data loss, unauthorized file modification, or system compromise). 1. Implement the principle of least privilege: only access directories and files strictly necessary for the skill's operation. 2. If possible, confine operations to a dedicated, isolated directory. 3. Carefully review and restrict the use of dangerous commands like `rm -rf` when paths are derived from user input or could be manipulated. | LLM | index.js:20 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/coreyleung-art/cross-device-sync/package.json | |
| INFO | Unpinned Dependency `fs-extra` The `package.json` specifies `fs-extra` with a caret (`^11.0.0`), which allows for minor and patch updates. While common, this practice can lead to unexpected changes, new vulnerabilities, or breaking changes being introduced without explicit review when dependencies are installed or updated. Pin dependencies to exact versions (e.g., `11.0.0`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly audit and manually update dependencies. | LLM | package.json:13 |
Scan History
Embed Code
[](https://skillshield.io/report/5e1381b423263c44)
Powered by SkillShield