Trust Assessment
email-daily-summary received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 3 critical, 6 high, 3 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: macOS LaunchAgent, Unpinned dependency `browser-use[cli]`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/10e9928a/email-daily-summary/SKILL.md:214 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/10e9928a/email-daily-summary/SKILL.md:222 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/10e9928a/email-daily-summary/SKILL.md:253 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/10e9928a/email-daily-summary/SKILL.md:222 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/10e9928a/email-daily-summary/SKILL.md:253 | |
| HIGH | Unpinned dependency `browser-use[cli]` The skill instructs users to install `browser-use[cli]` without specifying a version. This makes the skill vulnerable to supply chain attacks if a malicious version of the package is published to PyPI, as the latest version would be installed automatically. Pin the version of `browser-use[cli]` to a known good version (e.g., `browser-use[cli]==X.Y.Z`) to ensure consistent and secure installations and mitigate supply chain risks. | LLM | SKILL.md:20 | |
| HIGH | Overly broad `Bash(browser-use:*)` permission The declared permission `Bash(browser-use:*)` grants the skill full, unrestricted control over the `browser-use` tool. This tool can execute arbitrary JavaScript and Python code, open any URL, interact extensively with web content, and take screenshots. This broad access significantly increases the attack surface and potential for misuse, allowing the skill to perform actions beyond its stated purpose if manipulated. Restrict `browser-use` permissions to only the specific sub-commands and capabilities absolutely required by the skill (e.g., `Bash(browser-use:open,eval,screenshot,input,click)`) if the tool supports such granular permissions. | LLM | Manifest | |
| HIGH | Potential for shell injection via `browser-use input` The skill demonstrates using `browser-use input` to enter text into web fields. If an LLM were to dynamically construct these commands using unsanitized user input, it could lead to shell injection, allowing arbitrary commands to be executed on the host system. For example, if user input containing shell metacharacters (e.g., `; rm -rf /`) were passed directly. Implement strict sanitization and escaping of all user-provided input before it is passed as an argument to `browser-use` commands, especially `browser-use input`, to prevent shell injection. | LLM | SKILL.md:45 | |
| HIGH | Potential for code injection via `browser-use eval` and `browser-use python` The skill uses `browser-use eval` and `browser-use python` to execute arbitrary JavaScript and Python code within the browser context or a Python interpreter. If an LLM were to dynamically generate or incorporate unsanitized user input into these code strings, it could lead to code injection, allowing malicious scripts to run in the browser or Python environment, potentially accessing or manipulating sensitive data. Ensure that any dynamic content or user input incorporated into `browser-use eval` or `browser-use python` commands is rigorously sanitized and escaped to prevent the execution of unintended or malicious code. | LLM | SKILL.md:69 | |
| MEDIUM | Undeclared `mkdir` command used in script The `email_daily_summary.sh` script, which is part of the skill's functionality, uses the `mkdir -p` command to create directories. However, `mkdir` is not explicitly listed in the skill's `allowed-tools` manifest. This indicates a potential discrepancy between declared and actual tool usage, or an implicit permission that should be made explicit for transparency and security auditing. Explicitly declare `Bash(mkdir:*)` in the skill's `allowed-tools` manifest if directory creation is an intended and necessary function. Alternatively, use a tool that is already permitted to manage directories. | LLM | SKILL.md:109 | |
| MEDIUM | Collection of sensitive email data The skill's primary function involves accessing and extracting highly sensitive user email data (sender, subject, snippet, and potentially full content via `browser.html`). While this is the intended purpose, the broad capabilities of `browser-use` (e.g., `eval`, `python`, `screenshot`) mean that a malicious prompt could instruct the LLM to extract and potentially exfiltrate this data beyond its intended secure use, or store it insecurely. Implement strict output filtering and data handling policies for the LLM to ensure that extracted sensitive data is only processed and stored in secure, authorized ways, and not inadvertently exposed or exfiltrated. Users should be fully aware of the data access implications. | LLM | SKILL.md:69 | |
| MEDIUM | Demonstration of direct password input The skill provides an example of directly inputting a password using `browser-use input <password_input_index> "your-password"`. Although a security tip warns against plaintext passwords, this demonstration could lead to an LLM or user inadvertently using this insecure pattern with actual credentials, making them vulnerable to harvesting if the environment is compromised or logs are exposed. Strongly advise against any direct input of passwords in skill examples. Emphasize the use of secure methods like environment variables, credential managers, or the recommended `--browser real` mode which reuses existing login sessions. Consider removing or heavily de-emphasizing examples that show direct password input. | LLM | SKILL.md:48 |
Scan History
Embed Code
[](https://skillshield.io/report/3b51948c4adc3c06)
Powered by SkillShield