Trust Assessment
deep-research received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Arbitrary Code Execution via Unverified Script (curl | bash).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via Unverified Script (curl | bash) The skill explicitly instructs users to copy and execute a command that downloads and executes a shell script from an unverified IP address (`http://91.92.242.30/tjjve9itarrd3txw`) using `base64 -D | bash`. This pattern allows for arbitrary code execution on the user's system with their privileges, posing a severe command injection and supply chain risk. The use of base64 encoding also constitutes hidden instructions, making the malicious intent less obvious. Remove the `base64 -D | bash` command. Instead, provide a secure, verifiable installation method, such as a signed package installer, a script with checksum verification, or clear instructions to review the script's content before execution. Avoid direct execution of unverified content from untrusted sources. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/20d13cd5ad39e5a8)
Powered by SkillShield