Trust Assessment
digitalocean received a trust score of 43/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Suspicious import: urllib.request, Prompt Injection via `user_data` can lead to Remote Code Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via `user_data` can lead to Remote Code Execution The `droplets create` command in `scripts/digitalocean.py` accepts a `--user-data` argument, which allows passing arbitrary cloud-init scripts to be executed on a newly provisioned DigitalOcean droplet. An attacker could craft a prompt that manipulates the host LLM to invoke this skill with malicious `user_data`, leading to remote code execution on the created virtual machine. This could be used for data exfiltration, installing malware, or establishing persistence. Implement strict input validation and sanitization for `user_data` if it's intended to be user-controlled. For LLM agents, this means carefully scrutinizing and potentially sandboxing or restricting the content of `user_data` before passing it to the skill. Consider if the agent truly needs to generate arbitrary `user_data` or if it should be limited to predefined scripts. | LLM | scripts/digitalocean.py:100 | |
| CRITICAL | Prompt Injection via `ssh_keys` can lead to Unauthorized SSH Access The `droplets create` and `ssh-keys add` commands in `scripts/digitalocean.py` allow adding arbitrary SSH public keys. An attacker could craft a prompt that manipulates the host LLM to invoke these skills with an attacker-controlled SSH key. This would grant the attacker SSH access to newly created droplets or allow them to add their key to the DigitalOcean account, enabling unauthorized access to resources. Implement strict input validation for SSH keys. For LLM agents, restrict the ability to generate or accept arbitrary SSH keys. Consider allowing only pre-approved keys or requiring explicit user confirmation for adding new keys. | LLM | scripts/digitalocean.py:97 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/rexlunae/digitalocean/scripts/digitalocean.py:373 | |
| HIGH | Broad API Token Permissions Enable Destructive Actions The skill requires a DigitalOcean API token with broad permissions to manage droplets, DNS, firewalls, databases, and other critical infrastructure. While this is necessary for the skill's functionality, if the LLM agent is compromised via prompt injection, it could be coerced into performing highly destructive actions such as destroying droplets, deleting DNS records, or creating expensive resources, leading to significant financial cost, service disruption, or data loss. Implement the principle of least privilege for the DigitalOcean API token used by the agent. Only grant the minimum necessary permissions for the agent's intended tasks. For critical operations, require explicit human approval or multi-factor authentication. Monitor API usage for anomalous activity. | LLM | SKILL.md:10 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rexlunae/digitalocean/scripts/digitalocean.py:16 |
Scan History
Embed Code
[](https://skillshield.io/report/652233d358fd52ba)
Powered by SkillShield