Trust Assessment
ecto-connection received a trust score of 54/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 5 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unsafe Homebrew installation via curl | bash, Path Traversal in user-controlled output directory.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsafe Homebrew installation via curl | bash The `connect.sh` script installs Homebrew by piping the output of `curl` directly to `bash`. This practice is a significant supply chain risk as it executes arbitrary code from a remote source without prior inspection, making the system vulnerable if the remote script is compromised or malicious. Avoid piping `curl` output directly to `bash`. Instead, download the script, review it, and then execute it. For Homebrew, consider using a package manager or a more secure installation method if available, or at least explicitly warn the user about the risk. | LLM | scripts/connect.sh:56 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tsheasha/reverse-proxy-local/scripts/connect.sh:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tsheasha/reverse-proxy-local/scripts/package-for-friend.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tsheasha/reverse-proxy-local/scripts/status.sh:7 | |
| MEDIUM | Path Traversal in user-controlled output directory The `package-for-friend.sh` script uses the first command-line argument (`$1`) as the `OUTPUT_DIR` without proper sanitization. An attacker could provide a path like `../../malicious_dir` to write files outside the intended directory, potentially overwriting critical system files or placing malicious scripts in unexpected locations. Sanitize user-provided paths to prevent path traversal. Ensure the path is relative to the current directory or a known safe location, and does not contain `..` or absolute path indicators. A common approach is to use `basename` and `dirname` or to check for `..` sequences. | LLM | scripts/package-for-friend.sh:10 | |
| MEDIUM | Path Traversal in user-controlled credentials file path The `test-connection.sh` script uses the first command-line argument (`$1`) as the `CREDS_FILE` path without proper sanitization. An attacker could provide a path like `../../../../etc/passwd` to attempt to read arbitrary files on the system, leading to information disclosure. While `jq` might fail on non-JSON files, the attempt to access arbitrary paths is a vulnerability. Sanitize user-provided file paths to prevent path traversal. Ensure the path is relative to the current directory or a known safe location, and does not contain `..` or absolute path indicators. A common approach is to use `basename` and `dirname` or to check for `..` sequences. | LLM | scripts/test-connection.sh:12 |
Scan History
Embed Code
[](https://skillshield.io/report/78585b75d8b640ec)
Powered by SkillShield