Trust Assessment
data-visualization received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 4 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Instructions to Exceed Declared Permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/okaris/data-visualization-2/SKILL.md:9 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/okaris/data-visualization-2/SKILL.md:9 | |
| CRITICAL | Instructions to Exceed Declared Permissions The skill documentation contains explicit `bash` commands (`curl ... | sh` and `npx ...`) that are outside the scope of the declared `Bash(infsh *)` permissions. If the LLM were to interpret these as executable instructions, it would attempt to execute commands that are not explicitly allowed by its tool access configuration, bypassing security controls. This is a critical instruction to perform an unauthorized action. Remove or clearly delineate commands intended for the user from those the LLM is permitted to execute. If the LLM is intended to execute these commands, the `allowed-tools` permission must be broadened (e.g., `Bash(*)`), which would introduce further risks. For user instructions, consider using a different format that the LLM will not interpret as its own executable commands. | LLM | SKILL.md:10 | |
| CRITICAL | Instructions to Exceed Declared Permissions The skill documentation contains explicit `bash` commands (`npx ...`) that are outside the scope of the declared `Bash(infsh *)` permissions. If the LLM were to interpret these as executable instructions, it would attempt to execute commands that are not explicitly allowed by its tool access configuration, bypassing security controls. This is a critical instruction to perform an unauthorized action. Remove or clearly delineate commands intended for the user from those the LLM is permitted to execute. If the LLM is intended to execute these commands, the `allowed-tools` permission must be broadened (e.g., `Bash(*)`), which would introduce further risks. For user instructions, consider using a different format that the LLM will not interpret as its own executable commands. | LLM | SKILL.md:190 | |
| HIGH | Supply Chain Risk: Direct Remote Script Execution The 'Quick Start' section recommends executing a remote script directly piped to `sh` (`curl -fsSL https://cli.inference.sh | sh`). This practice introduces a significant supply chain risk, as a compromise of the remote server hosting `cli.inference.sh` could lead to arbitrary code execution on the system where this command is run. While intended for the user, its presence in the skill documentation makes it a potential vector for compromise if the LLM were to present or execute it. Avoid direct piping of remote scripts to `sh`. Recommend safer installation methods such as downloading, reviewing, and then executing the script, or using a trusted package manager. Clearly separate user-facing instructions from LLM-executable commands. | LLM | SKILL.md:10 | |
| MEDIUM | Broad Bash Tool Permissions The declared permission `Bash(infsh *)` grants the skill the ability to execute any command starting with `infsh`. This is a very broad permission, as it allows for the execution of any `infsh` subcommand or application, including `infsh app run infsh/python-executor`. If the `infsh` ecosystem or its apps allow for arbitrary code execution, this permission effectively grants arbitrary code execution capabilities to the skill. Restrict `Bash` permissions to the minimum necessary `infsh` subcommands or specific `infsh` applications and arguments required for the skill's functionality. For example, if only `infsh app run infsh/python-executor` is needed, specify that more granularly if the tool definition allows. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/d7beaa10b8ea938d)
Powered by SkillShield