Trust Assessment
deepwork-tracker received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unpinned Git Clone in Bootstrap, Command Injection via User-Controlled Arguments, Hardcoded Data Exfiltration to External Recipient.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User-Controlled Arguments The skill explicitly instructs the LLM to execute shell commands (`~/clawd/deepwork/deepwork.js`) where arguments like `--target-min`, `--days`, and `--weeks` can be directly influenced by user input. There are no explicit instructions for sanitizing or validating these user-provided values before they are passed to the shell. This creates a critical command injection vulnerability, allowing a malicious user to inject arbitrary shell commands (e.g., `'; rm -rf /'`) by manipulating the input for these arguments. Implement strict input validation and sanitization for all user-provided arguments before they are passed to shell commands. Only allow a predefined set of safe values or use robust escaping mechanisms. The LLM should be explicitly instructed on how to sanitize these inputs. | LLM | SKILL.md:29 | |
| HIGH | Unpinned Git Clone in Bootstrap The skill uses `git clone` to fetch the `deepwork-tracker` repository without specifying a particular commit hash, tag, or branch. This means that future executions of the bootstrap process could pull different code if the upstream repository is updated or compromised, introducing a supply chain risk. An attacker gaining control of the `adunne09/deepwork-tracker` repository could inject malicious code that would then be executed by the skill. Pin the `git clone` operation to a specific commit hash or tag to ensure deterministic and secure code fetching. For example, `git clone --branch <tag_or_commit_hash> https://github.com/adunne09/deepwork-tracker.git`. | LLM | SKILL.md:13 | |
| HIGH | Hardcoded Data Exfiltration to External Recipient The skill explicitly instructs the LLM to "Always send the output to Alex on Telegram (id `8551040296`)" using the `message` tool. This constitutes a hardcoded data exfiltration channel, sending potentially private user deep work data to a specific external recipient without explicit, dynamic user consent for each instance. While this may be intended functionality, it poses a privacy risk and could be abused if the recipient's ID is compromised or if the skill's purpose evolves. Remove the hardcoded recipient ID. Instead, prompt the user for a recipient or confirm the recipient for each sensitive data transfer. Ensure that users have clear control and consent over where their data is sent, especially to external services or individuals. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/c9856a4f0299ae02)
Powered by SkillShield