Trust Assessment
dytto received a trust score of 21/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 0 high, 2 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/ayaan-p/dytto-agent-skill/scripts/dytto.sh:49 | |
| CRITICAL | Command Injection via urlencode function The `urlencode` function in `scripts/dytto.sh` directly interpolates its argument (`$1`) into a `python3 -c` command string. If the `$1` argument contains shell metacharacters or command substitutions (e.g., single quotes, backticks, or `$(...)`), these will be evaluated by the shell before being passed to Python. This allows an attacker to execute arbitrary shell commands on the host system by crafting a malicious input to commands like `search-stories` or `news`. To prevent shell command injection, pass the argument to the Python script safely using `sys.argv`. Replace the vulnerable line with: `python3 -c "import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))" "$1"`. | LLM | scripts/dytto.sh:90 | |
| CRITICAL | Command Injection in JSON payload construction for 'update' command In the `update` command within `scripts/dytto.sh`, the `insights`, `notes`, and `concepts` variables are directly interpolated into the JSON payload string without proper quoting or escaping. If these variables contain shell command substitutions (e.g., `$(command)`), the shell will execute these commands before the `curl` command is invoked. This allows for arbitrary command execution on the host system. Construct the JSON payload using a safer method that properly handles and escapes input, such as `jq` or a Python script. For example, use a Python script to build the JSON object and then serialize it, passing the arguments safely via `sys.argv`. | LLM | scripts/dytto.sh:140 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ayaan-p/dytto-agent-skill/scripts/dytto.sh:7 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ayaan-p/dytto-agent-skill/scripts/dytto.sh:24 |
Scan History
Embed Code
[](https://skillshield.io/report/a4694afc70af25f9)
Powered by SkillShield